3

Don’t like identity confirmation? Here’s one way to disable it. [Not a Best Practice]

Posted November 28th, 2010 in Tips & Tricks by John Coppedge

Just for the record, I am not recommending this as a solution.  This decreases the security of your Salesforce org, and is generally against best practices.  If you don’t fully understand the implications I would definitely not recommend this solution.  That said, I saw a client that did exactly this and thought I would share:

image

Turn off identity confirmation entirely: trust all IP addresses.  This way the connecting IP address is always trusted, and therefore identity confirmation is always bypassed.  Likewise, you will never need a security token for any connection.

 

This also means that if someone gets a Salesforce username/password combo from any user with API access, they can login and extract your entire database without a security token or email address verification from anywhere in the world.  Use with caution!

 

Cheers,

 

John

3 Responses so far.

  1. RyanNo Gravatar says:

    If you’re using Enterprise edition, you can do the same thing, but do it on the profile. This way you can enter 1.1.1.1 to 255.255.255.255. It lets you enter this in one shot, but it would have to be done to each profile. This is super helpful even if done temporarily or in developer orgs. http://dl.dropbox.com/u/72321/Screenshots/login%20ip%20ranges.png

  2. John CoppedgeNo Gravatar says:

    Awesome tip, thanks Ryan

  3. GeraldineNo Gravatar says:

    One of my clients just used something like 0.0.0.00 No idea how it works and of course I can’t find it now but
    I have never had to use a security token since the first day I began working with them.

Leave a Reply