Website: The standard Salesforce user interface.

Security Token: Grants API access, requires appending a security token to the end of the password but skips the activation process.  Commonly used for integrations and other applications that are intended for system administrators (rather than end users).

OAuth:  Grants access using a standard username and password, uses the standard activation process and requires that the user grant access to the application.  Commonly used for end user applications (demo).

Single Sign On (SSO):  Uses another set of credentials (for example your laptop username and password, which is linked to Active Directory) to authenticate to Salesforce (this would mean that you would not need a username and password in order to login).  In-depth knowledge of SSO is not required for this course.

Some applications, such as the Data Loader, will allow you to choose your authentication method.  In this example, “Password Authentication” would require a security token, while “OAuth” would require that the user grant access to the application.

Identity verification (previously referred to as device activation or computer activation) requires that the user take an additional step to complete the authentication process from an unidentified device.  This step is typically to enter a challenge code delivered via email or text message.

This process is designed to prevent unauthorized access to Salesforce.com, particularly in the event of a hijacked username and password.

Identity verification is typically required when a) there is no cookie in the browser indicating a previous login AND b) the user is connecting from OUTSIDE of a trusted network (or no trusted network is declared).

A user must append their security token to their password when authenticating via the API, unless they are connecting within a Trusted IP range.