Don’t like identity confirmation? Here’s one way to disable it. [Not a Best Practice]

Posted November 28th, 2010 in Tips & Tricks by John Coppedge

Just for the record, I am not recommending this as a solution.  This decreases the security of your Salesforce org, and is generally against best practices.  If you don’t fully understand the implications I would definitely not recommend this solution.  That said, I saw a client that did exactly this and thought I would share:


Turn off identity confirmation entirely: trust all IP addresses.  This way the connecting IP address is always trusted, and therefore identity confirmation is always bypassed.  Likewise, you will never need a security token for any connection.


This also means that if someone gets a Salesforce username/password combo from any user with API access, they can login and extract your entire database without a security token or email address verification from anywhere in the world.  Use with caution!