Log In Password-Free with Lightning Login

Passwords get the job done, helping to secure your Salesforce org. But it’s no secret—weak passwords, forgotten passwords, and locked-out accounts can be a hassle. Now, logging in can be as simple as a click, a tap, and a touch: Click your username, tap to approve the notification on your mobile device, and authenticate with your fingerprint or PIN. The speed, convenience, and enhanced security that users get with Lightning Login leaves password-protected logins in the dust. This feature is available in both Lightning Experience and Salesforce Classic.
Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Your users’ Lightning Login experience is incredibly simple.User experience of Lightning Login approval process
  1. Click—Look for the lightning bolt next to your Lightning Login–enabled username, and click your username.
  2. Tap—On your mobile device, tap the notification from the Salesforce Authenticator app.
  3. Touch—Verify your identity with your fingerprint or PIN. Presto! You’re logged in.

Password-free logins rely on Salesforce Authenticator (version 2 or later), the two-factor authentication mobile app that’s available as a free download for iOS and Android devices. Not only are we making logins more convenient, we’re adding a layer of security by requiring two factors of authentication for every Lightning Login. The first factor is something that the user has—a mobile device that has Salesforce Authenticator installed and connected with the user’s Salesforce account. The second factor is something that the user is, such as a fingerprint, or something that the user knows, such as a PIN. The second level of authentication enhances security by requiring access to the mobile device and the user’s fingerprint or PIN.

Setting up and educating your users is also simple.
  • Enable Lightning Login for your users by assigning them the “Lightning Login User” permission using profiles (cloned or custom profiles only) or permission sets. Lightning Login isn’t supported for external users.
  • Lightning Login isn’t limited to orgs using Lightning Experience. It works in Salesforce Classic, too.
  • Each user who has the required permission enrolls individually in Lightning Login. Lightning Login Enroll linkOn the user’s Advanced User Details page, clicking Enroll prompts a notification on the user’s mobile device. A tap to approve and a fingerprint or PIN to authenticate completes the enrollment. For users who aren’t already using Salesforce Authenticator, enrollment includes a few extra steps. Users are guided through downloading and installing Salesforce Authenticator, connecting it to their Salesforce account, and setting up the second factor (fingerprint or PIN).
  • Enrolled users are also able to log in by entering only their username, skipping the password field, and clicking Log In.
  • While enrolled, if users are ever without their mobile device, they can still log in with their password. If users disconnect Salesforce Authenticator from their Salesforce account, Lightning Login isn’t allowed until they connect it again.
  • Users can cancel their own enrollment at any time. An admin can cancel any individual user’s enrollment (although an admin can’t enroll on behalf of a user).
  • To monitor your users’ Lightning Login usage, use Salesforce’s Login History or Identity Verification History tools to fine-tune your roll-out.

In your org’s Session Settings, the Allow Lightning Login setting makes Lightning Login available, although no one can enroll until you assign them the “Lightning Login User” user permission. You can disable Allow Lightning Login at any time, to switch all users back to username and password logins.

The Lightning Login method is assigned the Standard security level by default. A Lightning Login establishes a Standard security level for the user’s session, which is the default security level for the Username Password method that Lightning Login typically replaces. If needed, you can change the security level to High Assurance.

As you plan your Lightning Login roll-out, keep these things in mind.
  • Lightning Login is generally available as of October 15, 2016. Before then, it’s not available in sandboxes.
  • The Salesforce Authenticator (version 2 or later) mobile app is required. If your org isn’t already using it, review the requirements, support, and considerations for the app.