You Shall Not Pass!

So, we now agree on the benefits of a Cloud solution vs an old fashioned “in house” system. Next, let’s address “Who sees what”.

Upon creating a new user, assigning an ID and selecting a password are standard procedure everywhere. Salesforce doesn’t stop there.

In the process of creating your organization structure, you can define further measures to ensure no unauthorized access occurs.

One of these measures is defining IP ranges. In simple words, it’s a bit like saying “if you get a call from this or that number, it’s ok to answer”. This can be more or less strict.

If ID and Password check out, but the IP address doesn’t, users are sent a verification code in order to ensure it’s a legit connection. Next step up, if you don’t need/want your users/agents logging in from any place other than your business/office location, login from out-of-range IPs can be denied altogether.

As an additional safety measure, you can enforce specific hours ranges when connections are authorized. In this case, specifically, if a session is running and the cutoff time arrives, users can still see the current page they are on, but further interactions will be rejected as the session will have expired at the set cutoff time.

And if that doesn’t sound enough, you can also configure SF to confirm users’ identities in a number of ways such as SMS confirmation, security tokens, encoded certificates, and SF Authenticator in conjunction with a Trusted Location (IP address).

A “Login flow” may be also implemented. Salesforce directs users to the login flow after they authenticate but before they access your org or community. Only after users successfully complete the login flow, they’re logged in to your Salesforce org or community. The login process can also log out users immediately if necessary.