A client contacted me a few weeks ago asking how to reset their Salesforce security token. This is pretty standard fare in the Salesforce administration department…or so I thought. After logging into the org as an administrator and logging in as the client’s user specifically, we both determined that the “Reset my Token” function had, as if magically, disappeared.
Ten minutes of Googling later, we learned why. To quote the Salesforce article:
“If there are any IP range values defined then Reset My Security Token option will not be available.”
In other words, as soon as you specify an IP range on a Profile, any user with that Profile will no longer be able to reset their Salesforce security token and the security access is now completely driven by IP address range. This will impact Data Loader (the most common requestor of a security token that I can think of) and other apps that connect with Salesforce using “old school” username and password.
Fortunately, most apps are moving away from this security model in favor of newer security models, like OAuth, where usernames and passwords are never shared with the apps. Instead, a security token has no traces back to your username or password. Better security for you, and less hassle for app developers–win/win!
Back to those IP ranges: with great power comes great responsibility. I would recommend being judicious with the IP ranges you apply to profiles. Don’t go crazy with a range of 0.0.0.0 to 255.255.255.255 in production, rather keep the ranges tight to your office IP range and maybe limited ranges for users’ home and mobile access.
Check out this Salesforce Knowledge Base Article for more details: “Missing Reset Security Token Option”. Hopefully this blog post saves someone a head-scratching session with Google. If you have your own Salesforce security token tips to share, leave a comment here or tweet us at @redargyledotcom.