Salesforce.com is making security changes on Monday Nov. 26, 2007. (Note that the rollout was pushed back a week from their original communications. It is now Monday Nov. 26, 2007)
There were a couple of webinars today about the changes. The customer-focused webinar will be available at http://www.salesforce.com/security soon. The partner-focused one will be available in the Partner Portal.
Below is my understanding of what was said and a high-level overview of the main impacts. Please add clarifications in the comments.
- If you connect via a Session ID passed from a web link/tab, none of these restrictions apply as the user is explicitly providing you with login access to his/her active session.
- To login with a username and password, the IP address you are logging in from needs to be white-listed.
- Salesforce will pre-populate the org’s whitelist with IPs used in the past 4 months.
- Each end-user can generate an API token to replace their password for API logins.
- API logins using the API token do not require their IP to be whitelisted.
- API tokens do not expire. Only 1 is active at a time. It can be replaced by the user generating a new one. This automatically invalidates the old one.
- API tokens cannot be used to login at https://www.salesforce.com/login.jsp.
- Going forward, the best practice would be for end users to provide their API token to any app/service they use other than the main Salesforce.com login page.
Logging in at https://www.salesforce.com/login.jsp
- Username and password will still be the way to access Salesforce.com from the main login page
- A new feature will be added requiring you to confirm that your computer is valid to login using that username.
- The login page will check if you’ve logged in from that computer before (by looking for a browser cookie)
- If not, the email address on the user record will be sent an email to confirm that you are, in fact, the one trying to login now.
- You will click a link in that email “activating” your computer for login with that username
- Unless you delete the cookie or clear your broswer’s cache, you should be good to go for a while without repeating these steps.
- There are no new IP restrictions affecting logins at the main login page. The profile-based IP restrictions that have been around for a long time are still the way to go there.
If you are a consultant, you may fall victim of the new security measure when you try to login as your client (maybe they couldn’t afford another temporary username just for you). On the call, I was told that you can request a temporary one via the Partner Portal or ask your customer to forward you the email to confirm your PC is okay.
I think it is great to see Salesforce taking a step to tighten up the API, especially. I like to think that my old API Authentication List post had something to do with it, but who knows.
The biggest impact to me will be using client’s logins to get into the system from my PC, but I’ll just have to workaround that one. Security and convenience are generally a trade off and overall I’d rather use/subscribe to a service that is tightened down with my business data. If anyone can handle the inconveniences of logging in, it’s developers since we are used to doing hacks/workarounds in the first place.