You can rescue your users during two-factor authentication
emergencies by giving them a temporary verification code. In Lightning Experience, a user with multiple
usernames on the same Salesforce org
or different orgs can easily switch between them with the user switcher.
Save the Day by Generating a Temporary Verification Code for Users in Distress
Generate a temporary identity verification code for users who forgot, lost, or otherwise can’t access the device they usually use for two-factor authentication. The user can log in and stay productive, and you don’t have to weaken security for your Salesforce org or community by removing the two-factor authentication requirement. This feature is available in both Lightning Experience and Salesforce Classic.
Delegate Two-Factor Authentication Management Tasks
A new permission lets you delegate some two-factor authentication support tasks to users who aren’t Salesforce admins. All users with the “Manage Users” permission also have the new permission, and you can’t remove it from those users. This feature is available in both Lightning Experience and Salesforce Classic.
Changed Name for “Manage Two-Factor Authentication” Permission
For clarity, we’ve changed the name of the “Manage Two-Factor Authentication” permission to “Manage Two-Factor Authentication in API.” The name change distinguishes this permission from the new permission “Manage Two-Factor Authentication in User Interface.” This feature is available in both Lightning Experience and Salesforce Classic.
Simplify Salesforce Navigation with the User Switcher
With the user switcher, users can now easily navigate Salesforce when they have multiple usernames on the same or different Salesforce orgs. They select their profile picture to see a list of available usernames to navigate to. Users no longer have to open a new tab, enter a login URL, and then enter their username. Their browsers aren’t cluttered with several tabs, one for each Salesforce org. Now users can have a single tab for all Salesforce orgs. This feature is available in Lightning Experience only.
See How Your Users Are Verifying Their Identity
We’ve made it easier for you to secure your Salesforce org or community with two-factor authentication by adding tools that show you how your users are verifying their identity. With knowledge about who’s not using your preferred verification methods, you can refine your roll-out strategy and target communications to just the right people. This feature is available in both Lightning Experience and Salesforce Classic.
Maintain Identity Verification on Public or Shared Devices
Now when your users log in to Salesforce and verify their identity on a device that isn’t private, they can help keep your org secure by alerting us. Ask your users to deselect the “Don’t ask again” option that appears on the identity verification page when they’re using a shared device or browser. Deselecting this option keeps us asking for identity verification whenever anyone logs in from that browser and device. This feature is available in both Lightning Experience and Salesforce Classic.
Implement Advanced Authentication for iOS Users of Custom Domains
If you have a custom domain created with My Domain, you have a new option to support authentication methods, such as Kerberos, Windows NT LAN Manager (NTLM), or certificate-based authentication, for users of Salesforce1 and Mobile SDK applications on iOS devices. When enabled, iOS users are redirected to their native browser when using single sign-on authentication into your custom domain. This feature is available in both Lightning Experience and Salesforce Classic.
Improved Session Security for OAuth 1.0 Token Exchanges
When a connected app requests access to Salesforce data via the user interface during an OAuth 1.0 token exchange, Salesforce validates the request and sends a short-lived session ID that is valid only for frontdoor.jsp. Previously, the session ID could be used in the API and was eligible for validity extensions. To disable this feature, contact Salesforce. This feature is available in both Lightning Experience and Salesforce Classic.
New X_ReadOnlyMode Parameter in OAuth 2.0 Responses
Users have read-only access to Salesforce during splits, instance migrations, instance switches, and other maintenance events. As an administrator, you can use the new X_ReadOnlyMode parameter to determine whether an access or refresh token is acquired while the org is in read-write mode or read-only mode. Access tokens obtained during read-only mode are used only for read operations. This feature is available in Lightning Experience, Salesforce Classic, and the Salesforce1 mobile browser app.
Get More Specific Login Type Reporting in Login History
When users use an authentication provider’s single sign-on (SSO) to access your Salesforce org through a customer service or partner portal, we provide more detailed entries in Login History. Previously, these login types were recorded as Customer Service Portal and Partner Portal, respectively. Now they’re recorded as Customer Service Portal Third-Party SSO and Partner Portal Third-Party SSO. This feature is available in both Lightning Experience and Salesforce Classic.
Endpoint Routing for User Interface Logins No Longer Supported
We’re changing our endpoint routing to deliver better performance and higher availability for our dedicated user interface login endpoints. Previously, you could use www.salesforce.com/login.jsp as a user interface login endpoint, which then routed you to the correct login instance. As of June 25, 2016, we are removing internal routing, and you have to change your user interface login endpoints from www.salesforce.com/login.jsp to https://login.salesforce.com/login.jsp. This change applies only to user interface login traffic. Logging in from a browser by clicking Login still works. This feature is available in both Lightning Experience and Salesforce Classic.
Identity Verification Labels and Email Are Easier to Understand
To reflect recent enhancements to our identity verification procedures, we’ve changed some labels in the user interface and slightly revised an email your users get when verifying their identity. This feature is available in both Lightning Experience and Salesforce Classic.
Log In Even Faster with the Salesforce Authenticator App
Now you can approve tasks directly from your mobile phone notifications. No more drilling into the app to approve automated tasks. Apple Watch also syncs to the app more quickly so you don’t have to wait for your codes to appear. Authenticate from your Apple Watch as easily as from other mobile devices, with less waiting for your codes to appear. Salesforce Authenticator works for Lightning Experience, Salesforce Classic, and the Salesforce mobile app.