All new Salesforce orgs are now set up so that identity verification by email occurs only if the user has no other identity verification methods registered. Possible identity verification methods include Salesforce Authenticator, SMS, time-based one-time password (TOTP), physical key (U2F), and email. The new setting, Prevent identity verification by email when other methods are registered, appears on Identity Verification and Session Settings Setup pages. To increase security in your existing orgs, Salesforce recommends that you enable this setting.
Where: This feature applies to all editions of Salesforce Classic and Lightning Experience. It also applies to all Lightning and Salesforce Tabs + Visualforce communities accessed through Lightning Experience and Salesforce Classic in Essentials, Enterprise, Performance, Unlimited, and Developer editions. SMS verification messaging is available in Lightning Experience, Salesforce Classic, and all versions of the Salesforce app. The Identity Verification Credits add-on license is available for purchase for all editions.
Who: Customers who have an Identity Verification Credits license and use device activation by text message can enable identity verification by text message. If you don’t know your org’s limit of SMS messages for identity verification, contact your Salesforce account rep. On external users’ profiles, the option Enable Device Activation allows external users to verify their identity by text message.
How: From Setup, in the Quick Find box, enter Identity Verification, and then select Prevent identity verification by email when other methods are registered.