|Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions|
- Click—Look for the lightning bolt next to your Lightning Login–enabled username, and click your username.
- Tap—On your mobile device, tap the notification from the Salesforce Authenticator app.
- Touch—Verify your identity with your fingerprint or PIN. Presto! You’re logged in.
Password-free logins rely on Salesforce Authenticator (version 2 or later), the two-factor authentication mobile app that’s available as a free download for iOS and Android devices. Not only are we making logins more convenient, we’re adding a layer of security by requiring two factors of authentication for every Lightning Login. The first factor is something that the user has—a mobile device that has Salesforce Authenticator installed and connected with the user’s Salesforce account. The second factor is something that the user is, such as a fingerprint, or something that the user knows, such as a PIN. The second level of authentication enhances security by requiring access to the mobile device and the user’s fingerprint or PIN.
- Enable Lightning Login for your users by assigning them the “Lightning Login User” permission using profiles (cloned or custom profiles only) or permission sets. Lightning Login isn’t supported for external users.
- Lightning Login isn’t limited to orgs using Lightning Experience. It works in Salesforce Classic, too.
- Each user who has the required permission enrolls individually in Lightning Login. On the user’s Advanced User Details page, clicking Enroll prompts a notification on the user’s mobile device. A tap to approve and a fingerprint or PIN to authenticate completes the enrollment. For users who aren’t already using Salesforce Authenticator, enrollment includes a few extra steps. Users are guided through downloading and installing Salesforce Authenticator, connecting it to their Salesforce account, and setting up the second factor (fingerprint or PIN).
- Enrolled users are also able to log in by entering only their username, skipping the password field, and clicking Log In.
- While enrolled, if users are ever without their mobile device, they can still log in with their password. If users disconnect Salesforce Authenticator from their Salesforce account, Lightning Login isn’t allowed until they connect it again.
- Users can cancel their own enrollment at any time. An admin can cancel any individual user’s enrollment (although an admin can’t enroll on behalf of a user).
- To monitor your users’ Lightning Login usage, use Salesforce’s Login History or Identity Verification History tools to fine-tune your roll-out.
In your org’s Session Settings, the Allow Lightning Login setting makes Lightning Login available, although no one can enroll until you assign them the “Lightning Login User” user permission. You can disable Allow Lightning Login at any time, to switch all users back to username and password logins.
The Lightning Login method is assigned the Standard security level by default. A Lightning Login establishes a Standard security level for the user’s session, which is the default security level for the Username Password method that Lightning Login typically replaces. If needed, you can change the security level to High Assurance.
- Lightning Login is generally available as of October 15, 2016. Before then, it’s not available in sandboxes.
- The Salesforce Authenticator (version 2 or later) mobile app is required. If your org isn’t already using it, review the requirements, support, and considerations for the app.