Require Two-Factor Authentication Using Apex Triggers

Using an Apex trigger, you can now require user identity verification to help protect sensitive operations for your business.
Available in: All Editions

The new Auth.VerificationException class allows third-party code to leverage the Salesforce verification framework and initiate the identity verification flow, in addition to Auth.SessionManagement.generateVerificationUrl.

By throwing an instance of Auth.VerificationException, you no longer have to manually assemble the verification URL using Auth.SessionManagement.generateVerificationUrl and then perform a manual redirect.

You can also throw an Auth.VerificationException inside an Apex trigger and cause the system to enter the verification flow, which isn’t possible with Auth.SessionManagement.generateVerificationUrl. When a trigger is encountered that throws the exception, API clients get an API error (”Requires extra verification”). It’s then the client's responsibility to verify the user’s identity. In the UI, users are prompted to verify their identity.

Example

This example uses Auth.VerificationException to trigger verification if a user attempts to create an account without a high assurance session.

trigger testTrigger on Account (before insert) {
    Map<String, String> sessionMap = auth.SessionManagement.getCurrentSession();
    if(!sessionMap.get('SessionSecurityLevel').equals('HIGH_ASSURANCE')) {
        throw new Auth.VerificationException(Auth.VerificationPolicy.HIGH_ASSURANCE, 'Insert Account');
    }
}