Balancing Security and Agility: Updates to Step-Up Authentication for Reports and Dashboards

Balancing Security and Agility: Updates to Step-Up Authentication for Reports and Dashboards

At Salesforce, Trust is our number one value, from the inside out. As AI becomes more prevalent as a tool leveraged by bad actors, attacks become faster and less predictable. To help our customers guard against common attacks, like session hijacking, Salesforce continues to harden customer configured controls in the Salesforce Platform.

Recently, we began rolling out Step-up Authentication for report actions, starting with sandbox environments. Think of it like the extra passport check at an airport gate as you board an international flight even though you’ve already shown your passport to get your boarding pass. Step-up Authentication is an extra check point. Even if an attacker gains access to a valid session identifier, they can’t extract your most sensitive data.

The challenge: balancing security with agility

Strong security is a balancing act. Managing least privilege access is never-ending work, and we know it can sometimes call for restrictions that add an extra step to your day to day operations. During the initial rollout of the Step-up Authentication enforcement, we saw that the requirement introduced unintended friction and unexpected behaviors into everyday workflows. We’re committed to transparency and rapid improvement, and our engineering teams have been actively deploying updates so that security enhancements empower users rather than get in their way. 

How we are improving the Step-up Authentication experience

We’re taking action to ease that operational friction right away. First, we reevaluated which actions trigger the step-up prompt, and we’re making two key changes:

  • Step-up Authentication on report export only: Instead of monitoring all access to reports and dashboards, we’re narrowing step-up authentication so it triggers only on  report export. That will significantly reduce how often Step-up appears while keeping the security posture that matters.
  • Respect configured IP range controls: More visibility into the IP address behind a request lets us make smarter decisions about when Step-up is needed. If an org or a user’s profile has IP range restrictions defined, that exempts the session from the Step-up authorization. Similarly, if the org has “Lock sessions to the IP address from which they originated” enabled (Setup → Session Settings), that session is exempt too. 

Second, after the rollout to sandboxes, you gave us clear feedback on several issues. We’ve addressed and shipped fixes for each: 

  • Seamless embedded dashboards: We found that dashboards embedded on Home pages displayed a “This page has an error” message instead of an authentication prompt. The root cause was that the analytics REST API enforced the step-up policy in contexts like Lightning App Builder components, where an interactive challenge prompt wasn’t available. That’s now resolved, and these components now work seamlessly.
  • Uninterrupted admin troubleshooting: We found that Step-up Authentication broke the admin “Login As” function, sending the MFA prompt to the end user instead of the admin doing the troubleshooting. To restore this essential support tool, “Login As” now exempts proxy users from the step-up requirement, mirroring our existing MFA exemption logic.
  • Frictionless automation: To ensure that shared integrations and scheduled reports keep running without manual intervention, automated background jobs will now bypass step-up via a null-session check.
  • Mobile and Experience Cloud access: To maintain a frictionless experience for partners, customers, and on-the-go users, we have exempted both Experience Cloud users and Mobile App users from the Step-up enforcement requirements.

No action required for admins

The fixes above and the changes to which actions trigger the Step-up Authorization have already been deployed. No admin action is required. If you previously disabled embedded dashboards or paused scheduled reports as a workaround, you can safely re-enable them. For ongoing updates, subscribe to the Known Issue article linked below.

Keeping strong security hygiene across your organization is essential. Standard measures aren’t always enough against sophisticated adversaries, which is why we continue to build more secure-by-default controls into our products. We believe that security controls should protect your data without disrupting your workflows, and will continue to refine Step-up Authentication based on your feedback.  

Resources

Security best practices

Curious about more ways to bolster the security of your Salesforce org? Check out our guide for additional guidance and resources.


offer illustration layout one


offer accent layout one


offer cloud layout one

Share this post :

Facebook
Twitter
LinkedIn
Pinterest

Create a new perspective on life

Your Ads Here (365 x 270 area)
Latest News
Categories

Subscribe our newsletter

Stay updated with the latest tools and insights—straight from ToolRelay.