Password and Passwordless! Policies For Salesforce Community Cloud
An important consideration for any portal or service community deployment is how to identify the users accessing the service. The Identity layer in the Salesforce platform provides these services and there have been quite a few enhancements over recent releases which I wanted to highlight in this article.
The first point to make regarding password settings is that they are configurable at the profile level. This means that you can have different settings for internal (employee) users and external (customer, partner) users. This is very useful since you may want to place different security controls around internal users versus external users. With external users many businesses tend to move the security needle towards easy of use versus security. For example you may have a longer session timeout duration for external users since you may not want them to have to repeatedly enter their password information.
Below is a screenshot of the area within setup -> navigate to the profile -> click on password policies
The settings here are documented in the following help and training article:
One of the new settings that just became available is the ability to refrain from expiring the links in password reset emails. The scenario here could be usability related that for infrequent external users they may not respond to password reset emails immediately but there are also other scenarios to be considered. The standard behaviour with these password reset links is that they can be used only once however an issues that occurs is that some email clients will as a security precaution follow unrecognised (un-whitelisted) links in emails in order to verify they aren’t a security risk. This can cause the links to expire and this setting can help remedy the problem though its important to be aware it is a less secure setting.
If you check the box then Salesforce will allow reset password links in forgot password emails to be used more than once. The link stays active until a user confirms the password reset request.
The Password Anti-Pattern
Design patterns are general, reusable solutions to a commonly occurring problem within a given context in software design however when we need to authenticate users to websites we all too often rely on usernames and passwords which actually in my view can become an Anti-Pattern since it can result in one of two undesirable outcomes. Imagine a user of many services on the web that all need a username and password — one of two things will happen either (i) the user will use the same password everywhere or (ii) they will reduce password complexity and or write down the passwords to make them easier to keep track of. Both of these are undesirable and introduce unnecessary security risks. So is asking a user to create additional passwords always needed ? Of course not, in many circumstances its possible to use SSO / SAML / OAuth / Social Sign On to interface with trusted Identity Providers that can be used to verify who the user accessing a web service is.
In the Summer release Salesforce introduced another option — Passwordless Login. Let’s take a closer look.
Password-less Login
Register and verify new users without creating another password. Instead of usernames and passwords organisations can leverage a variety of verification methods, such as SMS and Instant Messaging apps and still report on login activities from Salesforce.
Really this type of identity services is optimised for mobile first users by enabling users to log in with something other than an email address. When you need to verify identity challenge users with not just password but a variety of other mechanisms.
Essentially instead having to remember passwords you can set users up to authenticate using one time passwords (OTP) that are then sent to the user over email or mobile channels.
The Salesforce Community Builder
This authentication experience is currently delivered using the following Apex methods:
System.UserManagement.registerVerificationMethod(Auth.VerificationMethod.TOTP, startUrl);System.UserManagement.disconnectVerificationMethod(userId, Auth.VerificationMethod.TOTP);// Add verification methodspublic List<Auth.VerificationMethod> methods;methods = new List<Auth.verificationMethod>();methods.add(Auth.VerificationMethod.SMS);methods.add(Auth.VerificationMethod.Email);methods.add(Auth.VerificationMethod.U2F);methods.add(Auth.VerificationMethod.SALESFORCE_AUTHENTICATOR);methods.add(Auth.VerificationMethod.TOTP);Site.passwordlessLogin(userid, methods, startURL);
Glossary:
Community Cloud : Salesforce solution for building externally facing digital experiences (web, mobile etc) that are connected into your CRM data, processes and use that data to provide personalised experiences.
Salesforce Identity : Salesforce Identity Management solution including capabilities for SSO, Two Factor Auth, Authentication Process Flows and other Identity management Capabilities. Salesforce Identity is included as part of the platform (app cloud) services in every core Salesforce license
External Identity : The customer facing component of the Identity platform. Under the hood its actually just a community product without the service (cases, knowledge) capabilities. https://developer.salesforce.com/docs/atlas.en-us.externalidentityImplGuide.meta/externalidentityImplGuide/identity_external_identity.htm
Further Reading:
Release notes
External Identity Impl Guide
Apex dev guide
Code Samples
