A few months ago, Salesforce implemented a security feature that while I agree with on principle (and therefore don’t want to take steps to completely disable), it has been driving me crazy.
In short, when you log in to your Salesforce account, the system looks at your IP and recognizes whether or not you have logged in from that IP before or if your IP is already cleared by the system administrator. If it’s a new IP in your account, you have to click an activation link which sends an email to the account you’re trying to log in under. You click the link in the email which activates the IP and you’re good to log in and get work done.
Businesses that have static IPs (or even dynamic IPs that don’t move around that much) aren’t bothered by this. However, someone like me whose office usually consists of a laptop and any power outlet she can find is finding this security feature challenging to say the least.
Even when I’m home, Verizon is changing my IP at least 2-3x a day. It’s annoying to have to dance over to my email so often to authorize yet another IP address. Thankfully, that email arrives in fractions of a second after I click the link so I’m not delayed that much. Otherwise, I would just authorize entire IP blocks that Verizon DSL uses, which I’m not sure I want to do.
However, yesterday I found out what happens when I can’t get to my email: Not fun.
I did a little presentation/demo at the New York City Nonprofit Salesforce Usergroup. The meeting was hosted at Wells Fargo Insurance services in midtown Manhattan. When I attempted to log in to Salesforce, of course I got the “Activation Needed” box. Okay, so I fire up a browser window to check my email. Now that we are fully migrated to Google Apps, I no longer use a separate mail client. A window pops up that mail.google.com is blocked by the corporate firewall. The little note on the message says that all external email applications are blocked. Uh oh.
So what did we do so I could use my Salesforce account during the demo?
Another attendee (thanks again, Marc!) found that he could use my computer to log in to his webmail (SquirrelMail). I guess they let that one get away, likely since it was webmail.domain.com and not a known mail application. So I clicked the link to activate, retrieved the message on my Blackberry, forwarded to his email where he could open the message in a window on my computer and activate. Phew!
I completely agree with the extra security measure of making sure that the account holder is the person logging in to Salesforce. I agree with the notion that if there’s a doubt, notify the user via the email address on their account. But I wish Salesforce wouldn’t base this decision solely on IP/physical location. Guess what? That’s the point of Salesforce. We can log in from anywhere and move around.There has to be a better way of verifying that I’m me.
What about a software token (Mac compatible, of course) that one could install on a computer in a secure way that Salesforce could check for if it doesn’t recognize the IP address? That way, every time my computer is used to log on, Salesforce knows it’s me. I don’t know.