+ Start a Discussion
AvaniAvani 

Security Token and User Login Issues.

Hello all :smileyhappy:,
 
I would like to know if any SF admin have issues regarding the new security measure enhancement by SF on December 13th, 2007.
 
My users had issues with getting locked out and I had to reset new passwords and generate security tokesn for Outlook Email users.
 
Also, one of my user who works from home is getting this window everytime she logs in asking for authentication.  I looked up on her login profile and found that the IPs are new everytime she logs in. I asked her what network she is trying to login from. She said she uses comcast and cox from two different places to login into SF.
 
Please let me know if anyone else is in the same boat.
 
Best!
Avani
hudinihudini
I'm having similiar issues with my users and occasionally myself as well. short of swtiching to a static IP carrier, i would also like to know if you come up with any ideas!
thanks
Hudi
HFalik@aish.com
AvaniAvani
well, I have not found any ideas or workarounds yet. Ithas gotta to do with the new security measures
taken by SF.
 
For some of my users I reset the security token and added to their passwords for all external applications inlcuding Outlook. This worked well.
 
But some of my users are having issues. Esp the ones working from home.
 
Let me know if you know any further on this issue.
 
Best!
 
Avani
hudinihudini
avani,
see this thread
http://community.salesforce.com/sforce/board/message?board.id=practices&message.id=4360
alevyalevy
If I understand Salesforce's implementation here correctly - this is by far one of theie worst ideas - especially in terms of security. 

I am a very regular developer of api applications for Salesforce - and also regularly use api applications (ie data loader, apex explorer, etc etc).  To access salesforce via these applications I am now required to enter (and remember!) : -

1) My Username
2) My Usual Password
3) A 25 character alpha-numeric mixed-case strig token. 

Salesforce, in its 'Fundamental Mission' has a goal to provide a Software-Less Access Anywhere database environment.  Now if i require access in a different location to normal (which is very common) - i am required to :-

1)Download the software (ie apex explorer) , 

2) find out my token by resetting the token - thereby breaking any api applications i have built on or off the web in an instant.  

3) access my email (assuming i have access to my email from this outside location)

4) change the saved passwords on any other machine i have ever worked on so that the applications on these machines now are using the updated token code -   and fix up any web based applications so that they now work properly. 

CONCLUSION
---------------------

PASSWORDS WILL BE LESS SECURE
-------------------------------------------------------
Instead of having a nice simple password - that i will change every so often - that i keep in my head.  I have an ugly password&token that i will copy and paste to as many places as possible so that i will always have access to it as there is no way i can possibly remember it.

I will of course also make sure that my computer retains the password&token so that i do not have to type it in each time.  Thereby creating a major security risk. If someone else decides to log on to my computer - they will have instant access to our accounts api.  

ACCESS ANYWHERE IS NOT POSSIBLE
----------------------------------------------------------
I will be hit by a mountain of problems every time i forget my 25 character token key - having to reset it thereby breaking any existing applications or websites (instantly)  which rely on constant salesforce access. 

SLOWER PRODUCTIVITY
-------------------------------------
As a result our productivity is now going to slow down and be fraught with security problems that may be difficult to trace.

UNCOMMON SECURITY
----------------------------------------
This is a rediculous implementation and must be removed as soon as possible.  I have other ideas for security measures that will be far more effective - and are used by the banking industry to a good result.

DISASTEROUS TIME FOR IMPLEMENTATION
-------------------------------------------------------------------
This is also a completely unreasonable time of year to make such a change.  This change has a global effect on the whole of salesforce - or at least anyone who is doing anything useful with it. Salesforce is on holiday - i tried contacting their offices today and it is likely that all the staff are on holiday - and i am sure that in DEC / Jan there are less staff in the offices.    Major changes should be implemented with quality support in mind.


This message is assuming i understand the implementation properly - should I have neglected to understand the implementation then i will retract this message.










Message Edited by alevy on 12-25-2007 06:30 AM

Message Edited by alevy on 12-25-2007 06:32 AM
IHUDIIHUDI
HI there.
i found a better solution to resetyting my token - also a kludge but at least it won't mess up any api thing you've got set in the background.
logon via the external application.
tells you your cannot be logged in.
login to SF, view your user record and the ip addressees you have tried loggin on from ,
add that to the whitelist of IP addresses.
or you could override this security measure and whitelist all IP addresses :)
Good Luck!
Hudi

PAPORTESPAPORTES
I agree entirely with this last post - is there a place to register concern with Salesforce that will get noticed.  I use mass update every day, from the same machine and location and I have to enter a ridiculously long security token every time I do (it won't let you copy and paste it either!)