Identity Verification
Identity Verification is a Setup page where administrators configure the methods and policies used to verify user identities during login and high-assurance actions.
Definition
Identity Verification is a Setup page where administrators configure the methods and policies used to verify user identities during login and high-assurance actions. Options include Salesforce Authenticator, TOTP apps, SMS verification, email verification, and physical security keys.
In plain English
“Here's a simple way to think about it: Identity Verification is the umbrella for every "prove it's really you" flow - Salesforce Authenticator, TOTP apps, SMS, email, security keys. The methods are the building blocks; policy decides when each is invoked.”
Worked example
The admin at Granite Financial configures Identity Verification to require Salesforce Authenticator for all users when they log in from an unrecognized device or IP address. She also enables security key support for the executive team, who use YubiKey devices as an additional verification factor for accessing sensitive financial data.
Why Identity Verification is the umbrella for every "prove it's really you" flow
Salesforce verifies user identity in many places - at login from a new IP, before a high-trust action like resetting an admin password, when MFA is required by policy. Identity Verification is the Setup page that consolidates the methods: Salesforce Authenticator, TOTP apps like Google Authenticator and 1Password, SMS, email, physical security keys. Each is a different trade-off between user friction and assurance level, and this page is where you decide which methods your users can rely on.
The reason the choice matters is that the worst-on-availability method (e.g. SMS to a phone the user no longer has) becomes the recovery method some user will desperately need on a Tuesday morning. Enable a method that works when SMS doesn't (an authenticator app or security key); discourage SMS-only as the registered method even if you allow it; and document the recovery process so admins can help users who get locked out by their own MFA.
How to set up Identity Verification
Identity Verification (the modern name for MFA configuration) controls when and how users prove they are who they say they are — TOTP authenticator apps, security keys, SMS, email codes. Since 2022, MFA is contractually required for Salesforce admin and high-privilege users.
- Open Setup → Identity Verification
Setup gear → Quick Find: Identity Verification → Identity Verification.
- Review verification methods enabled
Salesforce Authenticator (push-notification app) / TOTP (Authy, Google Authenticator) / U2F Security Keys / SMS / Email. Pick which to enable.
- Set when to challenge
Always (every login) / when login risk is detected (default) / never (not allowed for admin profiles).
- Open Setup → Multi-Factor Authentication Assistant
Salesforce-provided wizard to roll out MFA per profile. Check progress and identify users not yet enrolled.
- Tick Require MFA for Logins for relevant profiles
Setup → Profile → System & User Permissions → tick Multi-Factor Authentication for User Interface Logins. Users on these profiles must enroll a verification method.
- Communicate to users
First login after this change prompts users to enroll. Provide enrollment instructions and a help-channel for confused users.
Push notifications. The most user-friendly method.
Standards-based time-based one-time passwords. Works with any TOTP app.
Hardware tokens (YubiKey, etc.). Strongest, most user-resistant.
Being deprecated as a method due to SIM-swap risk. Salesforce recommends alternatives.
Fallback method. Less secure than TOTP / hardware.
- MFA is contractually required for Salesforce admins and high-privilege users since February 2022. Non-compliance can affect your contract. Don't disable MFA on admin profiles.
- SMS as a verification method is being deprecated. SIM-swap attacks are a real threat — Salesforce recommends moving users to TOTP or hardware keys.
- First-time enrollment can confuse users. Pair the rollout with clear comms — "On your next login you'll be asked to set up MFA, here's how."
How organizations use Identity Verification
Standardized on Salesforce Authenticator + security keys; phased out SMS for high-assurance workflows after a SIM-swap incident.
Compliance team enforced Authenticator-only for admin workflows; TOTP-eligible methods cover the rest of the user base.
Patient-facing clinicians use Salesforce Authenticator with biometric second factors; enrollment is part of standard onboarding.
Test your knowledge
Q1. Can a Salesforce admin configure Identity Verification without writing code?
Q2. Why is understanding Identity Verification important for Salesforce admins?
Q3. In which area of Salesforce would you typically find Identity Verification?
Discussion
Loading discussion…