Salesforce Developer Security Identity Confirmation


// Salesforce - Developer - Security - Identity Confirmation:

Identity confirmation is used to verify the identities of users coming from 
unknown devices, and adds an extra layer of security on top of the 
authentication and single-sign-on features. When a user comes from an unknown 
device with a new IP address, the user is challenged to provide an identity 
confirmation code delivered via email, SMS, or a mobile authenticator app. Once 
the user completes the identity confirmation challenge, the device (and client 
browser) is considered activated.

For administrators, this feature provides information about all the activated 
device IP addresses and client browser information for all users in their 
organization. Administrators can revoke the activation status for one, many, or 
all users and can filter on specific criteria, such as username or login IP to 
determine which activated devices to revoke.

A user can tell their organization administrator that their device has been 
lost, but they’ve been issued a new device and still need access to the 
organization. The organization administrator can revoke the lost device and 
client browser activation status, effectively removing the IP address and IC 
browser information from the database. Anyone attempting to access the 
organization from that revoked device will be challenged for identity 
confirmation, adding a needed layer of security, while making sure users stay 

For users, this feature gives information about their activated device IP 
addresses and client browser information. Each user can revoke the activation 
status for any of their IP addresses, but not for any other user.

Example: A user logs into their organization and looks at their activated 
devices on the Activations page, and notices that there are several devices 
activated. The user has only ever been logged in from their work laptop and 
doesn’t recognize the IP addresses, so they immediately revoke the activation 
status of those devices. Since the user is challenged for identity confirmation 
using SMS to their mobile device, anyone trying to log into the organization 
from one of those unknown devices will fail the identity confirmation challenge. 
The user can then report the potential security breach.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License