If the user is already registered then log in to Salesforce from a browser or application that we do not recognize, and if users IP address is outside a trusted IP range, we are prompted to verify your identity.
There are some of the identity verification methods:
- Salesforce Authenticator Mobile App: If we are connected to the Salesforce Authenticator app (version 2 or later) from our account, then use the app to verify our Salesforce account activity. Salesforce sends a push notification to our mobile device, after getting the notification, open the app, and verify the activity details, and at last press “Approve” on our mobile device.
- U2F Security Key: If we are registered with a U2F Security Key which is associated with our email account, use the security key that is sent to our email account to verify our Salesforce account activity. Salesforce prompts us to insert the security key into our computer’s USB port.
- One-Time Password Generator App: If we are connected to an authenticator app for ex: Google Authenticator or Salesforce Authenticator to our account, then use the mobile app to generate a verification code. So, this type of code is known as “Time-Based One-Time Password.” And the code value of this authentication changes periodically.
- SMS Text Message: If we have a verified mobile number associated with our account, and we are receiving a verification code in a text message sent to our phone. If we don’t have a verified mobile number, then we are prompted to register one when we log in to Salesforce and registering with our mobile phone number verifies it and enables this method. If the mobile number changes, then it is required to contact your Salesforce administrator.
- Email: Salesforce sends a verification code in an email to the address associated with our account, and the code will expire after 24 hours.
NOTE
You have noticed that the identity verification page includes a “Don’t ask again” option that is selected by default. If we unselect the selected option and then click Verify, then the Salesforce doesn’t ask us to verify our identity again when we log in from the same browser or application. Exceptions are if we clear browser cookies, set our browser to delete cookies or browse in private or incognito mode. In these cases, we’re prompted to verify our identity every time we log in to Salesforce from an IP address that’s not defined as trusted for our Org.
If we log in from a public or shared device and unselect “Don’t ask again” option, then unselecting this option ensures that subsequent users have to verify their identity when they log in from that device.