Definition
Identity Verification is a Setup page where administrators configure the methods and policies used to verify user identities during login and high-assurance actions. Options include Salesforce Authenticator, TOTP apps, SMS verification, email verification, and physical security keys.
Real-World Example
The admin at Granite Financial configures Identity Verification to require Salesforce Authenticator for all users when they log in from an unrecognized device or IP address. She also enables security key support for the executive team, who use YubiKey devices as an additional verification factor for accessing sensitive financial data.
Why Identity Verification Matters
Identity Verification in Salesforce is the set of multi-factor authentication (MFA) methods and policies that administrators configure to verify user identities during login and high-assurance actions. Available methods include Salesforce Authenticator (mobile push notifications), time-based one-time password (TOTP) apps like Google Authenticator, SMS verification codes, email verification codes, and physical security keys like YubiKey. Identity Verification goes beyond basic password authentication by requiring a second factor that proves the user has physical possession of a device, significantly reducing the risk of account compromise from stolen passwords. Salesforce has made MFA a contractual requirement, making Identity Verification configuration a mandatory administrative task.
As security threats evolve and organizations face increasingly sophisticated phishing and credential theft attacks, Identity Verification becomes a foundational security control that protects the entire Salesforce ecosystem. Organizations that rely solely on passwords are vulnerable to credential stuffing attacks, where stolen credentials from other breaches are used to access Salesforce accounts. A well-configured Identity Verification policy uses the strongest available methods, with Salesforce Authenticator and security keys being the most secure, and SMS being the least secure due to SIM-swapping vulnerabilities. Administrators should configure step-up verification for sensitive actions like viewing encrypted fields or approving large transactions, and segment verification requirements by user risk level, with executives and admins requiring the strongest methods.
How Organizations Use Identity Verification
- Granite Financial — Granite Financial configured Identity Verification to require Salesforce Authenticator for all users logging in from unrecognized devices. For the executive team accessing sensitive financial data, they also enabled YubiKey security keys as a mandatory second factor. This layered approach reduced unauthorized access attempts by 95% compared to password-only authentication.
- MediGuard Healthcare — MediGuard Healthcare implemented Identity Verification with TOTP apps for all clinical staff accessing patient records. When a nurse logs in from a hospital workstation, they enter their password and then provide a 6-digit code from their authenticator app. This satisfies HIPAA's technical safeguard requirements for electronic health record access control.
- TechForward Agency — TechForward Agency configured step-up Identity Verification for their Salesforce administrators. Normal login requires Salesforce Authenticator, but accessing Setup pages or modifying security settings triggers an additional verification step with a physical security key. This prevents a compromised admin account from making security changes without physical device possession.