Login History logs every login attempt on your org — successful and failed — with the user, timestamp, source IP, login type (Application / API / SAML / OAuth), browser/client, and any failure reason.
Setup -> Login History. View the last 6 months in the UI. Filterable by user, by login status, by login type. Exportable.
Common uses:
- Security investigation — was this user actually logged in at 3am from Eastern Europe?
- Failed-login auditing — find users hitting login failures (forgotten password, expired session, blocked by IP restriction).
- API client identification — see which OAuth Connected Apps are being used and from where.
- MFA enforcement check — see whether a login was MFA-verified.
- Geographic anomaly detection — flag impossible-travel logins (logged in from Boston and Tokyo within 30 minutes).
Limitations: 6-month retention. If you need permanent records, integrate Login History to a SIEM via the API or use Event Monitoring (Shield) for richer event detail and S3-style log streaming.
Login History is the place to start any security investigation. If a user reports their account was compromised, the first action is to pull their Login History for the prior 30 days.