Skip to content
Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Identity Verification Settings entry
How-to guide

Configure Identity Verification Settings

Use this flow to set which methods your users can register and how device activation challenges behave. Change one section at a time and verify a real login before moving on. Settings here apply org-wide to the relevant audience, so there is no undo by Profile.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

Use this flow to set which methods your users can register and how device activation challenges behave. Change one section at a time and verify a real login before moving on. Settings here apply org-wide to the relevant audience, so there is no undo by Profile.

  1. Open the page

    From Setup, type Identity in the Quick Find box and select Identity Verification. Confirm you are looking at the right org and note the current state of each section before editing.

  2. Choose the allowed methods

    In the method sections, enable the verification methods you want available. Favor built-in authenticators and security keys for internal users because Salesforce treats them as phishing-resistant. Keep email and SMS as device-activation fallbacks rather than primary factors.

  3. Set external user options separately

    Scroll to the Experience Cloud site sections and decide method availability for external users on their own terms. Enable SMS only if your audience is in a supported country and you accept that it is weaker than an authenticator.

  4. Require a verified email and save

    Turn on the option to require a verified email address so one-time passcodes always have a destination, then save. Sign in from a fresh browser session to confirm the challenge behaves as intended.

Verification methodsremember

The set of MFA-grade methods you let users register: built-in authenticators, security keys, Salesforce Authenticator, and third-party authenticator apps.

Email identity verificationremember

Allows a one-time passcode to be sent to the user's verified email during a device activation challenge. Convenient but weaker than an authenticator.

SMS identity verificationremember

Sends a passcode by text, aimed mainly at external Experience Cloud users and limited to supported countries.

One-time password behaviorremember

Governs the format and handling of email and SMS passcodes used to clear challenges.

Require a verified email addressremember

Ensures every user has a confirmed email on file so email-based verification can actually reach them.

Gotchas
  • The page is org-wide, not per-Profile. A change lands on the whole relevant audience at their next unfamiliar login.
  • Email and SMS are not valid standalone MFA factors under Salesforce's MFA requirement. Use them for device activation, not as your only second factor.
  • Enabling a method here does nothing until users enroll it in Personal Settings. Communicate the rollout before tightening.
  • Device activation resets when a user switches browsers or clears cookies, so expect a fresh challenge after a device wipe.

See the full Identity Verification Settings entry

Identity Verification Settings includes the definition, worked example, deep dive, related terms, and a quiz.