Identity Confirmation (setting login restrictions)

Posted September 12th, 2008 in Certified Administrator and tagged , , by John Coppedge

Describe the Identity Confirmation Feature

The identity confirmation feature is what requires you to activate your computer to log in.

From Salesforce solution "What is the Identity Confirmation feature and how does it work?"

Criteria for Activation Process:

  1. Is the org using IP Login Restrictions on Profiles?
  2. Is the User logging in from an IP on the Trusted Network list?
  3. Have we seen this Activated User from this IP address before?
    • If Activated once before, we add the IP to their personal list and never challenge them from that IP again.
    • Each user has a list of IPs from which they’ve activated. (This list is not currently visible in the applciation.)
  4. Does the User have a cookie placed from Salesforce in this browser?
    • We set a cookie on any browser that doesn’t have a cookie once a User has logged in.
    • If they log in from a Trusted Network IP a cookie will be set in the browser.

Yes on any one of these = Pass on activation process

No on all of these = Initiate activation process

The activation process requires you to click "Send activation link" when you attempt to log in.  Salesforce will then send you an email with a link that you must click to complete the activation process.  You must click this link on the same computer that you intend to log in on- a blackberry or remote computer will not work.


Describe the differences between logging in through the API versus the UI

The user interface (UI) is logging into Salesforce using a web browser.  If you are not a)connecting through a web browser and b)connected to https://xxx.salesforce.com then you are almost undoubtedly connecting through the API.

API access comes in many forms: Connect for Outlook, Salesforce Offline- basically any external application/website that references data in Salesforce uses API calls.


Explain the concept of Login Hours and Login IP ranges

Login hours are configured on a per-profile basis, Enterprise and up only.

Setup –> Manage Users –> Profiles

Login IP Ranges

By default, any user can connect from any IP address.  When you add an IP range, then users can only connect from allowed networks.  Login IP Ranges are configured depending on version:

Enterprise and up: Profile-based

Setup –> Manager Users –> Profiles

Professional and lower: Company-wide

Setup –> Security Controls –> Session Settings

Trusted Networks

If you are connecting from a trusted network, then you will not have to activate your computer or use a security token for API calls (a password alone will suffice).  Add networks to the trusted list:

Setup –> Security Controls –> Network Access

From Salesforce solution "What is a Security Token and how does it work?"

Criteria for Security Token:

  1. Is this User / API call / client app logging in from an IP on the Trusted IP Range list?
  2. Does this User have IP Login Restrictions on their profile?

Yes on either of these will mean a pass on Security Token requirement


Add and delete an IP range

IP ranges are used for Login IP Ranges and Trusted Networks.  Use a start IP and an end IP, and it will register all IP addresses between.


Describe the different methods to allow access to the application

There are several methods to access the program:

Web browers (UI)

API access (3rd party programs, websites, etc.).  The API is only available to Enterprise Edition and up.

Mobile application (Blackberry)

Access is granted by creating a user with a set profile.  This profile restricts access hours and API access.  Mobile access is licensed per user and assigned as such.

9 Responses so far.

  1. MaritzaNo Gravatar says:

    On the practice test, I had this question, it doesn’t make sense to me. Am I missing something or is this question wrong? If you select the bypass feature, why would it not do it?
    Thanks as I am confused about this one.

    Q.4) Which of the following will not bypass Identity Confirmation? (select one)

    A. The user’s profile has IP login restrictions enabled. (your answer)
    B. The user has logged into Salesforce previously from their current IP address.
    C. The user has activated this computer before and has a stored activation cookie.
    D. The user’s record has the “Bypass User Identity Confirmation” checkbox enabled. (correct answer)
    E. The user is logging in from an IP address within the list of trusted networks.

  2. John CoppedgeNo Gravatar says:

    Its a trick question- there is no “Bypass User Identity Confirmation” checkbox.

  3. BJBerryNo Gravatar says:

    And this is why I hate this test and these types of tests.

    Trick questions are stupid.

  4. Dev AroraNo Gravatar says:

    Hi John,

    Can you please explain me in detail why is the answer D correct in the above question ? I am confused. I would really appreciate your help

  5. John CoppedgeNo Gravatar says:

    You cannot bypass the identity confirmation feature. No checkbox exists to check, therefore is not the correct answer.

  6. Cat McQuiggNo Gravatar says:

    I still think that A is also a correct answer. If the login restriction is enabled, then you could NOT bypass, correct?

  7. John CoppedgeNo Gravatar says:

    No such option exists, therefore not a valid answer 🙂

  8. Meli ThompsonNo Gravatar says:

    So, from this post string, I am getting that there is no correct answer for this question because there is no such thing as a “Bypass User Identity Confirmation”, nor is there an option in the profiles setup to enable login restrictions.

    I have found quite a few errors in the proprof.com practice exam, making studying for the exam frustrating.

  9. bimbaNo Gravatar says:

    I would like to reason out each option here:
    a)if ip login restrictions are enabled,then wen yu login from the activated ip address, YOU CAN BY-PASS.
    b)if logged in previously with current ip address, then also no activation required, YOU CAN BY-PASS.
    c)”by pass user confirmation” checkbox doesnt exist.
    d)ip address belongs to trusted networks range,so no activation required, YOU CAN BY-PASS.
    So, the option has to be C….:)

    Please reply if am wrong….its a valid question

Leave a Reply