Salesforce is rolling out a RED FLAG against Anonymized-VPN, Proxy and bad IP addresses – a security already under action. However, this is also panicking a lot of users out there, especially users on FIELD and ADMIN users.
So, what is this change first of all, read it here:
https://help.salesforce.com/s/articleView?id=005318944&type=1
To explain in simple language:
If your users are accessing your Salesforce instances from VPN networks, Proxy servers, or BAD IP addresses, their account will get freezed on fly. As good as this is a security measure this came to me as a panic news. After reading a bit, found that already many people are panicking including admins.
For admin there is also one more challenge including the VPN issue, migrating to PASSKEYS (webAuthn) since Salesforce is making PHISING-RESISTANT MFAs mandatory for admins/high privileged access users soon.
So, Shubham – what to do? First things first – don’t panic.
- Make sure you are not using BAD IP networks including VPNs if VPN is not for a legit reason in the equation.
- This does not means that VPNs are bullshit. Any admin or field service rep using Salesforce on transit between cross borders might need VPNs to access. So TRASHING VPN is not the solution. Get a fixed IP from VPN and add it to your TRUSTED network.
- There might be some specialized VPN provider tools/services that can help you, I am not aware of – please raise a ticket with VPN provider.
- Despite all of this, I believe: Your core admin location should always be fixed, without any VPN networks in between who can always come to admin rescue.
- If you get locked out – ask your admin to unfreeze your account.
- If integrations get broke due to same, you will need to ensure the calling service is in safe IP/network and reissue integration keys as needed.
- Keep a tab on the Salesforce security related webinars to stay updated and ask questions that might be unique to your business.
Salesforce must provide a list of IP ranges blocked from access. Imagine you are on a normal network and some other device sharing same public IP does something nefarious via some malware or so. Your user will also get blocked out in such case. Also possible if this IP addresses are assigned to your devices from your ISP providers on ad-hoc rotational basis.
This is like in INDIA if a phone number is not recharged for a few months, that number goes back into the market pool for selling. But the problem is what if that number was used in national level mass scams, OR what about the PII data linked to the Phone number. We are talking same issues with IP over here.
What about the PASSKEY thing?
Well PASSKEYS are easy to understand. Once enabled you as a user can login with on device authentication service like your laptop password manager, touch ID, windows hello, Mobile touch, etc. OR you can use a physical hardware key as second factor of authentication.
Note: Here we are talking about SECOND FACTOR of authentication i.e. IDENTITY VERIFICATION process. Earlier this was based on Authenticator apps – Salesforce/Others. These apps used to generate a time based OTP – TOTP. However it needs human intervention and harder for login to open the mobile and copy the OTP. Passkeys enable a mechanism behind the scenes to exchange a secure key from your client/machine to the server/service.
Salesforce is going to make this mandatory for ADMINS very soon. PASSKEYS have the same confusion though that what happens when a device is lost.
Now, my important take of WHY are such changes coming on the table. It might sound that this is for more fluent login OR more security BUT, these things must be happening for two key reasons as per my personal views:
- Making web more comfortable for AI agents. AI agents won’t stop if they can call on device auth service, but with TOTP humans were a blocker with that TOTP in human hands (cross device security).
- At same time, a world of DARK AI AGENTS are killing big businesses by flooding and calling the AI agent endpoints or headless endpoints. AI agents are uncontrolled warriors of DDoS attacks. To track it down – RESTRICTING IP ADDRESSES is the only quick fix for now.
Good or bad, these changes are going to increase the revenue for FIXED IP sellers for sure in short term and this can also increase un-necessary adoption of IPV6 on a large scale if a thoughtful solution is not framed soon before this web-agentic pattern explodes.
yours friendly,
Shubham