Identity Verification Settings
Identity Verification Settings is the Salesforce Setup page that controls how identity verification behaves across the org: which verification methods are allowed, what triggers a verification prompt, how long verified devices remain trusted, and which user populations are subject to which rules.
Definition
Identity Verification Settings is the Salesforce Setup page that controls how identity verification behaves across the org: which verification methods are allowed, what triggers a verification prompt, how long verified devices remain trusted, and which user populations are subject to which rules. The page is the master control panel for the adaptive authentication layer that protects suspicious login attempts. Most settings have sensible defaults that suit standard B2B SaaS orgs; regulated industries (financial services, healthcare) typically tighten the defaults beyond standard.
The settings affect every user in the org but interact with several other features: Login IP Ranges (per-profile IP allow-lists that skip verification), MFA enforcement (separate from but layered with verification), Network Access settings (the org-wide IP restrictions), and Connected App settings (for API-based access). Misconfiguration produces either users hitting verification too often (over-strict, productivity hit) or users not hitting verification often enough (under-strict, security risk). The page is the single control plane for tuning that balance.
What Identity Verification Settings controls
Allowed verification methods
The Settings page lists the verification methods enabled for the org: email, SMS, Salesforce Authenticator, FIDO security keys, third-party authenticator apps (TOTP-compatible). Each can be enabled or disabled. Disabling email-only verification is a common tightening: email accounts can be compromised, so requiring a stronger second factor is more secure. The list of methods configured here is what users see when registering their verification methods in Personal Settings.
Trusted device duration
The trust window is configurable from a few hours to several days. Default is 7 days. Shorter windows mean more frequent verification prompts (better security, worse user experience). Longer windows mean fewer prompts (better user experience, weaker security). Industries with strict requirements (financial services compliance, healthcare) may set 1 day; standard B2B orgs leave at 7 days.
Activation requirements
Some settings control activation of verification for specific user populations. For example, you can require verification for all users, or limit to specific profiles. Org-wide is the default and recommended; partial enablement leaves some users on weaker protection. Tightening to specific profiles makes sense only as a transitional state during MFA rollout, not a permanent configuration.
Interaction with Login IP Ranges
Login IP Ranges configured per-profile exempt the listed IPs from triggering verification. This is the standard mechanism for reducing prompts on trusted corporate networks. The Settings page does not configure IP Ranges directly; they live under each Profile. However, the verification behavior is the consequence of IP Range configuration: IPs in the range skip verification regardless of device or other signals.
MFA enforcement (separate but related)
Salesforce's MFA enforcement is a separate setting (Setup > Security > Multi-Factor Authentication Assistant) but interacts with Identity Verification. MFA requires a second factor on every login; Identity Verification adaptively challenges on suspicious attempts. An org with mandatory MFA still sees Identity Verification prompts on first-time-device login. Configure both for full coverage; the two together are stronger than either alone.
Per-user verification method registration
Users register their verification methods through Personal Settings > Advanced User Details > Identity Verification. The Settings page configures what methods are available; the user picks which they want to use. Encourage users to register multiple methods to avoid lockout: Salesforce Authenticator plus a backup like SMS or email. Single-method users get stuck when their primary device is unavailable.
Reset and recovery
When a user is locked out (lost phone, no access to registered email), an admin can reset their verification through the User detail page. The reset clears registered methods; the user re-enrolls on next login. This is an audit-able action; document each reset with the user requesting and the reason. Build the reset process into the IT help desk runbook so resolution is fast without leaving users stranded.
Configure Identity Verification Settings
Configuring Identity Verification Settings is a tuning exercise: pick allowed methods, set the trust window, configure user populations, and confirm interaction with related security features. The steps below cover the full setup.
- Open the settings
Setup > Identity > Identity Verification Settings. The page shows allowed methods, trust window, and population controls.
- Review allowed methods
Check which verification methods are enabled. For most orgs: enable Salesforce Authenticator, SMS, and email; consider FIDO for high-security needs.
- Decide on email-only restriction
For tighter security, disable email-only verification. Users must register Authenticator or another stronger method. Communicate this change before disabling.
- Set trust window
Tune the trust window. Default 7 days suits most B2B orgs; regulated industries may set 1 day; user-friendly orgs may extend up to the maximum.
- Configure user population
Confirm verification applies to all users by default. Tightening to specific profiles is uncommon and usually only a transitional state during MFA rollout.
- Cross-check Login IP Ranges
Review per-profile Login IP Ranges. Trusted office networks should be listed; misconfigured ranges produce too-frequent verification prompts.
- Verify MFA enforcement separately
Confirm MFA is also configured. The two features are separate; one without the other leaves gaps.
Email, SMS, Authenticator, FIDO, TOTP. Pick the methods available to users.
How long a verified device stays trusted. Configurable; 7-day default.
Which users are subject to verification. Default org-wide.
Disable email-only verification to require stronger methods.
Per-profile IP allow-lists that skip verification on trusted networks.
- Settings here do not include MFA configuration. MFA lives under Multi-Factor Authentication Assistant; ensure both are enabled for full coverage.
- Disabling email-only verification can lock out users who only registered email. Plan the change with a communication window for users to register additional methods.
- Trust window applies per-device-per-browser. Users clearing cookies or switching browsers see frequent prompts despite the trust window setting.
- Login IP Range misconfiguration is the most common cause of "too many verification prompts" complaints. Audit IP Ranges before adjusting Settings.
- Admin reset of verification is the recovery path. Document the process; an undocumented reset path leaves help desk teams stranded.
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. Can a Salesforce admin configure Identity Verification Settings without writing code?
Q2. Why is understanding Identity Verification Settings important for Salesforce admins?
Q3. In which area of Salesforce would you typically find Identity Verification Settings?
Discussion
Loading discussion…