why do I need to put in a verification code each time I log in? - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Sara BoxSara Box 

why do I need to put in a verification code each time I log in?

Best Answer chosen by Sara Box
Raj JhaRaj Jha
Hi Sara,

If you login with different gateway IP addresses it ask for verficiation code for first time for each IP address. 

Because of security reason., After entered verifciation code your gateway IP address is added in trusted IP addresses for that organization then it will not ask again for verification code. 

If you want they not says for Verification, add you IP address in Trusted IP Ranges.
setup -> Security Controls -> Network Access -> New Button.

For know your IP address: enter below website in you URL - 
http://www.whatismyip.com/

Thanks

 

All Answers

Amitkumar BangadAmitkumar Bangad
HI Sara,

Are you loggin in via different IPs?

thanks
Grazitti Interactive™Grazitti Interactive™
Hi sara,

you are logging in with different ips, 
mark it best answer if it works for you

thanks &  regards,
Grazitti Team
Raj JhaRaj Jha
Hi Sara,

If you login with different gateway IP addresses it ask for verficiation code for first time for each IP address. 

Because of security reason., After entered verifciation code your gateway IP address is added in trusted IP addresses for that organization then it will not ask again for verification code. 

If you want they not says for Verification, add you IP address in Trusted IP Ranges.
setup -> Security Controls -> Network Access -> New Button.

For know your IP address: enter below website in you URL - 
http://www.whatismyip.com/

Thanks

 
This was selected as the best answer
Sara BoxSara Box
No it's the same computer I use everyday? 
Amitkumar BangadAmitkumar Bangad
Well then it has someting to do with the browser and cookies. Did you use different browser ? If No - Did you clear the cookies and history any chance?

Also whitelisting IP as mentioned above is a good practice.
 
Raj JhaRaj Jha
Ok Sara, can you do please one thing - 

Note the IP address from http://www.whatismyip.com/
Then login in Salesforce. 
then logout from Salesforce.


After few minutes. 
Note the the IP address again from http://www.whatismyip.com/
then login again in Salesforce. 

If both IP addresses are same and still it ask for verification code, in that case we need create a case for salesforce support. 

Thanks
Sara BoxSara Box
That's great - thanks Raj I think I've sorted it.
Raj JhaRaj Jha
Welcome Sara.
Thanks for selected as Best Answer. 
Gabriel NituGabriel Nitu
Sara,

The best practice is to have the system challenging you with the verification code. I know that some times this process can be inconvenient but it is a security layer and I will recommend to not whitelist the IP's.
Also, you can enable Email-Based Identity Confirmation and with the mobile number verified properly you can choose either an Email or an SMS for the verification process

Verification code sent via email and / orSMS information

https://help.salesforce.com/apex/HTViewSolution?urlname=Verification-code-sent-via-email-and-or-SMS&language=en_US

Thanks
Ruben GiosaRuben Giosa
I am having the same problem but only you the same device over and over in my office. I am using firefox if that makes any difference
Guy TremblayGuy Tremblay
Ruben:  Looks to be an issue with the latest request- check this out:  https://success.salesforce.com/issues_view?id=a1p30000000jgjkAAA
Gabriel NituGabriel Nitu
Guy, the KI is not tight with the new IC feature Spring'16.

Every time when a user logs in from a new device / browser, the platform will challenge them with Identity Confirmation, regardless if it is the same IP address.

Please see Spring'16 release notes
page 315 Improved Security for Device Activations
https://resources.docs.salesforce.com/200/latest/en-us/sfdc/pdf/salesforce_spring16_release_notes.pdf

https://help.salesforce.com/apex/HTViewSolution?urlname=Why-am-I-asked-to-verify-upon-login&language=en_US

Since an IP address isn’t a reliable indicator of a user’s identity, we’ve changed our risk-based authentication protocol in Spring'16.
If the user browser is set to clear cache & cookies, then Salesforce will not recognize the browser and it will challenge the user every log in.

Either of the two resolutions listed below will work as your company is stating they trust these IP ranges.

1. Login IP Restrictions can be added for each individual profile to limit access of those users to a known set of ranges. These steps can be found in the article:
Restrict Login IP Ranges in the Enhanced Profile User Interface.
https://help.salesforce.com/apex/HTViewHelpDoc?id=users_profiles_epui_login_ip_ranges_edit.htm&language=en_US

2. If you would like to whitelist IP addresses for you entire Salesforce org, those can be added to the Network Access list as shown in article:
What is the difference between Network Access, Session Settings, and Profile-Based IP Restrictions
https://help.salesforce.com/apex/HTViewSolution?id=000199100&language=en_US
Julie TauschJulie Tausch
Is this an issue that can be resolved with the Salesforce Authentication App?
Amanda ElmoreAmanda Elmore
This is an issue for my org as well. My IT department has stated that we use dynamic IP so we're unable to whitelist the range as it changes so often. I use chrome and I have my cookies setup to allow data to be set. I've also even added [*.]salesforce.com as an exception to always allow - however I'm still being prompted to verify my identity. My users complain to me daily about having to do this. How can I fix this!?
Gabriel NituGabriel Nitu
Being Asked for an Identity Verification Code on Every Login
https://help.salesforce.com/apex/HTViewSolution?urlname=After-Spring-16-why-am-I-asked-for-Identity-Confirmation-Verification-code-on-every-login&language=en_US


Allowing access from any location & device is a security risk for your organization and your data, as users credentials can get easily compromised> Your Security & IT team will not be able to control users personal devices.

Salesforce is dedicated to help customers be more secure when accessing our service. We vent unauthorized access to their Salesforce orgs.
As a Salesforce admin, there are features built into the platform that you can enable to make the experience as secure as possible for you with the evolving threat landscape.

Salesforce Security Guide
https://resources.docs.salesforce.com/202/latest/en-us/sfdc/pdf/salesforce_summer16_release_notes.pdf

I would like to make you aware that your Salesforce organization has a high Security risk as your users can log in from any location and any device.
Your IT / Security team will not be able to control your users personal devices and their credentials can be compromised easily.

One of the key features that we highly recommend our customers enable is Login IP Range restrictions.

Profile Level Login IP Ranges (Login IP Range restrictions) are a key security feature available to all customers that allows users to only access Salesforce from a set of designated IP ranges/addresses.
Login IP range restrictions limit access by requiring users to login to Salesforce from designated IP addresses—typically the corporate network or VPN.
By using Login IP Ranges Restrictions, admins can define a range of permitted IP addresses to control access to Salesforce. Those who try to login to Salesforce from outside the designated IP addresses will not be granted access. For example, you might want to restrict the allowed range of IP addresses to those inside your corporate firewall, so employees can’t log in from other locations.

Login IP Ranges and VPN
If you have users who travel or work remote you will need to consider ways of incorporating the IP ranges that they may use. Realistically, the use of login IP range restrictions while traveling becomes more difficult without the use of a VPN.
A Virtual Private Network (VPN) is an extension of your company's internal network. VPN connections allow users who travel or work remotely to connect back to your private network securely over the public Internet. If your company uses VPN, it is likely that remote users are using the same IP ranges as the rest of the users in the office. Org-wide Trusted IP Ranges should be set to allow logins from IP addresses associated with your VPN.
We recommend working with your IT department or security team to understand how your workforce uses VPNs.

This security control becomes more effective the more granular you make it. The most effective way to implement Login IP range restrictions is to identify appropriate login ranges for each profile type and ensure that those profiles are correctly assigned to the right users. For instance, your in-house call center representatives may have one set of IP ranges, while your sales representatives may need more permissive IP range restrictions to allow them to work while traveling (the IPs corresponding to your company’s VPN)

In addition, the system admin should contact third party vendors (API integrations or apps) to identify their IP ranges that need to be added under the profiles. Please be aware that as soon as you add IP restrictions under the profile, the Reset Security Token used for the integrations will not be available to be reset. For additional information regarding the security token, please contact Salesforce Support and by submitting a case under the Security Skill Group.

Additional Layers of Authentication
If you find that Login IP ranges do not work for your org or you want to find more ways to keep your Salesforce implementation secure (you can do or use ALL of these things), there are more things you can do to secure your organization against stolen credentials.

Two Factor Authentication
The System Admin can require users to enter a time-based token generated from an authenticator app when users are log into Salesforce.
To require this verification every time users log into Salesforce, select the “Two-Factor Authentication for User Interface Logins” permission in the user profile or permission set.
If you have the “Two-Factor Authentication for API Logins” permission, you must enter this token to access the service instead of the standard security token.

See a demonstration of Two-Factor Authentication for Salesforce, and when to use it.
https://www.youtube.com/watch?v=p8v64jwEmt0

https://help.salesforce.com/apex/HTViewHelpDoc?id=security_require_two-factor_authentication.htm&language=en_US

Custom Login Flows
https://help.salesforce.com/apex/HTViewHelpDoc?id=security_login_flow.htm&language=en_US

Login IP Ranges and SSO
Login IP range restrictions are compatible with your company’s SSO/SAML-authentication system. If your SSO provider already has IP range restrictions in place, you may not need to enable them for your Salesforce organization. However, you may want to consider adding profile-based restrictions for each user in your Salesforce org even if you already use SSO.

https://developer.salesforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services

https://developer.salesforce.com/page/Single_Sign-On_with_SAML_on_Force.com

If you are a user with profile based IP restrictions and are using Salesforce1 on your mobile device, you must first connect from a trusted IP address. Thereafter, the device you are using is trusted and no longer needs to come from a specific IP address until that trust expires. As an administrator you can choose that duration of that trust, i.e., 30 days.

The Salesforce1 Mobile App obeys IP Range restrictions out of the box. As an org Admin, you can expand the IP Ranges whitelist for Salesforce1 to allow your users access according to their needs. Salesforce1 can be configured to bypass (or not) IP restrictions.

Salesforce1 - How to login with IP Restrictions
https://help.salesforce.com/apex/HTViewSolution?urlname=Salesforce1-How-to-login-with-IP-Restrictions&language=en_US