You can initiate two-factor authentication with two new Apex methods and enable it for external identity with a user permission. In addition, API-only users can register for two-factor authentication in the Salesforce UI. For easier integration with third-party identity providers, turn off case-sensitivity of Federation IDs for your Salesforce org. And stop your users from signing in to external identity providers with their Salesforce credentials, even when single sign-on is configured, by enabling delegated authentication through a Salesforce org preference.
- Initiate Two-Factor Authentication with Apex
Initiate your two-factor authentication process with two new Apex methods in theSystem.UserManagementclass. To verify a user’s identity with email, phone (SMS), or Salesforce Authenticator verification, pair the methods—one to initiate a verification service and one to complete the verification service. For password or time-based one-time password (TOTP) verification, you can use the second method alone to provide a complete verification service. - Enable Two-Factor Authentication for External Users
We added the Two-Factor Authentication for User Interface Logins user permission to the External Identity license. So now you can enable two-factor authentication for your external users, just like you do for your internal users. Simply enable this user permission on an external identity user profile or assign a permission set with this user permission to external identity users. - API Only Users Can Register for Two-Factor Authentication in the Salesforce UI
We now allow API only users access to the Salesforce UI to register for two-factor authentication. After a successful authentication, API only users are restricted from accessing the UI. - Allow Highly Trusted Users to Skip Identity Verification
Allow highly trusted users to log in to your Salesforce org from a new device without verifying their identity with a second factor, such as an SMS code. Because of security risks, we don’t recommend enabling this permission except for cases in which the user is highly trusted. For example, enable this permission if Salesforce Customer Support must log in to your org to troubleshoot an issue. - Apply Delegated Authentication to Your Salesforce Org
To improve your Salesforce org’s security, enable Delegated Authentication for your entire org, and manage this setting for your users at the permission level. Delegated Authentication redirects your users to an authentication provider of your choice, preventing users from logging in with their Salesforce credentials. Use this feature to prevent former employees from accessing your org with their Salesforce credentials, which are different from the credentials they use with the authentication provider. Previously, you contacted Salesforce Customer Support to enable this feature. - Seamlessly Integrate Federation IDs with Identity Providers
For easier integration with third-party identity providers, you can turn off case-sensitivity of Federation IDs for your entire Salesforce org. Previously, it was possible to create two unique users with similar Federation IDs because Salesforce recognized case-sensitivity; for example, ssmith and SSmith. Because some external identity providers don’t consistently recognize case-sensitivity, this created authentication issues. - Customize Your Embedded Login Page Type
Give your customers a better login experience. Configure Embedded Login to use the discoverable login page type or any other custom login page type already set up for your community. - Improve SSO with Custom Community URLs
Improve the login experience for your community users and reduce HTTP redirects by using optional community-specific URLs for single sign-on. - Discover Login Page Attributes with New JSON Response Fields
Use two new JSON response fields to discover login page attributes. The new LoginPageType field determines whether the type of page assigned to communities is discoverable, custom, or standard, or if Salesforce org pages are discoverable or standard. The new LoginPageTypeConfigs field defines whether the login prompt displays a preconfigured localized message for discoverable login page types. For custom login pages, it includes the custom login page URL and defines if the login page type is Designer or VisualForce. The LoginPageTypeConfigs field also displays whether the discoverable or custom login page type assigned to the community is assigned to the Embedded Login configuration. - Access Pardot API Services with Connected Apps
You can configure a connected app to access your Pardot API services. With this configuration, a client (represented by the connected app) accesses the Pardot services on behalf of the user. Manage the full extent of accessible services in Pardot. - Filter Login History by Application and Login Types
You can now filter Login History reports and list views by the type of application a user logged in from, such as a mobile device. You can also filter by the type of login, such as Outlook integration logins. These filters apply to login data captured over the past 6 months.