I’ve read a lot of docs for this and I’m not completely sure of what are the conditions for the login verification code be asked.
Can someone please help with this question and clarify me? Thanks
There is a really good help topic that outlines the various controls on login access to your org. Paraphrasing from it:
- The first thing that is checked on any login is your profile login
hours. If you have login hours on your profile, and you are outside
login hours, the login process stops and you are denied access. No
further checks are done. If you don’t have login hours set, or if
you are within login hours, you move to step 2.
- Next we look to see if your profile has an IP restriction set on it.
If you do and you are not within the login IP range, you are denied
access. No further checks are done. No verification email. Nothing.
Your access is blocked absolutely. If you are within your profile IP
range, you are granted access.
- If there is no profile IP range, then we will look for a browser
cookie set that identifies that this user has accessed this org
previously, or if they are within the organization-wide IP
restrictions (Setup>Security Controls>Network Access). If you are
your browser does not have the cookie, or is you are not within the
org-wide range, your access is blocked…but…there are two ways to
still gain access.
Step 1 is just a gatekeeper step. You won’t be granted access solely based on login hours, but you must meet the criteria to get access.
Step 2 is absolute and if a profile IP range is in place completely supersedes step 3.
Step 3 only is tested if there is no profile IP range.
If Step 3 blocks your access, as I mentioned two other options exist to gain access.
- The user can click on the Email Me a Verification Code button, in which case it will be emailed to them (SMS is also an option today) and they enter in the code to gain entry. The system will then set a cookie in the browser for the next time they access the org from that endpoint.
- The user can pass their security token in with the password.
The first time a new user logs into an org, if there are no IP range restrictions, they will be granted access and the cookie is set.