What's with the verification lawmaking ? Why is my Salesforce asking for it and so many times ?

With the Spring '16 release, Salesforce has upped the security of a login. They decided that the credentials and the IP address that a user logs in from is just not enough to verify that the person logging in is the actual user. At present, they've added the browser to the list of things that are verified when yous login. What happens is that, Salesforce checks the credentials, the IP address and the browser cookies to bank check if there have been previous logins with the same combo. If non, a verification lawmaking is sent to your email id/mobile. This security construction actually makes it less probable for someone to login, even if they accept your Salesforce credentials.

The mechanism to authenticate with verification codes was always there. People with trusted IP ranges on their Org would've come across it when trying to login from a different network. It's just that now, information technology'south asked for more frequently than earlier.

https://releasenotes.docs.salesforce.com/en-us/spring16/release-notes/rn_security_auth_stop_trusting_ip.htm

How do I stop it ?

Short answer, you can't. Only, you lot can reduce the frequency of the verification lawmaking request depending on how your visitor uses Salesforce.

  1. If your company/office has a specific range of IP addresses that information technology uses for information technology's network, y'all're in luck. Talk to your network/IT team, and once you lot accept the IP range, add it to the trusted IP ranges under Setup > Security Controls > Network Access
  2. If y'all're someone who travels a lot, try to become a VPN. Logging in from a VPN into Salesforce uses the IP address of the VPN network and makes Salesforce think that yous are logging in from the company'south network.
  3. This one is important: Make certain that browser cookies are not erased when yous shut the browser. When at that place isn't a possibility of adding IP ranges or using VPN, this one stride is a must. When you login for the first time from a new browser or a new unauthenticated IP (after verification, of course), the browser cookies continue info of the login. At the adjacent login from the same browser, the cookies are checked for a previously successful login. So practise not clear cookies. Some companies take a policy of clearing cookies on company computers for security reasons. Talk to your Information technology team to see if there tin be an exception made.
  4. Get the Salesforce Authenticator app . This doesn't really make the verification code request go abroad, but at least yous don't have to expect for the lawmaking.

https://assist.salesforce.com/apex/HTViewSolution?id=000232553

I want the code to be sent to my email and not my phone (or vice versa, or both)

You lot tin can choose to receive verification codes on your phone or your email or on both. Every user that exists on Salesforce has 2 fields- email and mobile telephone. Now, the mobile phone field is non mandatory, so many users may not take it filled. When Salesforce wants to send a verification code, it checks whether you have a mobile number entered in your user record and sends information technology to that number. If in that location isn't a number, it volition send the verification code to the email of the user (information technology'south a mandatory field, so every user'southward got one). You lot tin choose to get the lawmaking on both email and phone. Only check this permission on your profile- E-mail-Based Identity Confirmation .

https://assistance.salesforce.com/HTViewSolution?id=000198756&language=en_US

I'm non getting the verification code !

Hither, you need to commencement check where y'all get the verification code. The best place to find out if the verification code was sent and where it was sent is from the Setup > Identity Verification History section.

Screen Shot 2016-03-28 at 1

https://assistance.salesforce.com/noon/HTViewHelpDoc?id=security_verification_history.htm&language=en_US

If you were asked for a verification code, at that place will be an entry here adjacent to your username. Bank check the "Method" column to run across if it was sent as a text message or an electronic mail. If it was sent as a text bulletin, brand certain that your phone number is correct. Sometimes the format of the phone number would exist wrong and the verification lawmaking doesn't really reach the phone. The advisable format for the phone number is something like +44 1234567890. Re-register your phone if this is the case. Y'all can as well have the phone number removed for the time existence to become the lawmaking on your electronic mail id.

If it'south sent to your electronic mail, check the spam folder of your inbox or talk to your IT team to see if they have any security policy blocking these emails.

What about Salesforce1 ?

Salesforce1 clears the cookies when a user logs out of the app. Logout is dissimilar from merely minimizing the app in the groundwork. Once a logout from the app happens, the cookies on the app are cleared and y'all will be asked for a verification code on the side by side login. This happens on every logout/login. Talk to your Salesforce administrator about setting up the app and so that the Salesforce1 doesn't become logged out automatically.