New Security Enhancements

Most of you should have recently received the email below outlining the new security enhancements that Salesforce.com is rolling out. These security measures are similar to those deployed by many leading banks to manage access to their online banking applications. For over a year now my bank has required me to go through a process of identifying who I am whenever I log in from a new location by sending a key to my email address and then having me enter it via their site. Although sometimes a frustrating process, I am happy to do it because of the sensitive nature of the information made available to me via their site. My feelings are pretty much the same about the changes Salesforce.com is making. Security is not always pleasant but necessary and appreciated when a threat occurs.

Dear Salesforce Administrator,

At salesforce.com, we're actively delivering new security enhancements to protect customers against known threats.

One such enhancement will be “Identity Confirmation;” which is a set of features to help reduce the risk of phishing by requiring users to confirm their identity when accessing Salesforce from a different computer and from an unrecognized location for the first time. Before such users can log in, they will have to complete additional steps to confirm their identity—the exact steps will depend on whether they are using a browser or logging on via an API client, such as Connect for Outlook, Connect Offline, Apex Data Loader.

Please be prepared to explain these steps to your users—they are outlined below and explained in detail in this webinar (https://www.salesforce.com/security/)

Our goal is to minimize the impact of these features on users by allowing established patterns of usage to continue unchallenged. You will be able to designate a list of trusted IP ranges for your organization in Salesforce. Users who access Salesforce from IP addresses included in this list will not be affected by these changes. *

To facilitate the process for administrators, salesforce.com will pre-populate a list of trusted IP ranges for your company once, based on an analysis of the last four months of your organization's login data.

Please check the schedule (https://trust.salesforce.com/security.html#identity) to find out when Identity Confirmation will be activated for your company. Next, review the list of pre-populated trusted IP ranges for accuracy and completeness as soon as possible. It will be your responsibility to update the list of trusted IP ranges by adding new ranges as needed. To manage the list, go to Setup->Administration Setup->Security Controls -> Network access.

New login procedure for first log in from an untrusted network:

When users try to log in from a new browser and a new IP address, login will fail and an error message appears. Users can take the following steps to activate their computers:

   1. In response to the error message, click the Send Activation Link button to trigger an email message. Remind users that salesforce.com will never ask them for their login information via email.
   2. Open the email message that contains the activation link
   3. Copy the link and paste it into the browser within 24 hours. A message confirms that the computer has been activated.
   4. Once activation is complete, users can log in to Salesforce as usual. They will not be required to activate that location or browser again.

To access Salesforce from an untrusted network using a desktop application, users will be required to replace their current password with a combination of their password and a security token by taking the following steps:

   1. Log in to Salesforce via the browser to reset request their security token.
   2. Go to Setup->My Personal Information->Reset Security Token.
   3. Click the Reset Security Token button to trigger an email that will contain their security token.
   4. Select and copy the token from the email and use it to log in.
   5. In the application, replace their password with combination of the password and the security token. For example, if the password is “MyPassword” and the security token is “XXXXXX”, they would enter “MyPasswordXXXXXX” into the password field.

Summary: Next Steps

   1. Important! View the Webinar (https://www.salesforce.com/security/) to be prepared to answer your users' questions. You can also refer users to the Webinar.
   2. Check the schedule (https://trust.salesforce.com/security.html#identity) to find out when Identity Confirmation will be implemented for your company and notify your users.
   3. Check the pre-populated list of trusted IP addresses for completeness and accuracy.
   4. Maintain this list to ensure a smooth login experience for your users. To manage the list, go to Setup->Administration Setup->Security Controls ->Network Access.

*Notes:

    * The Identity Confirmation features are backwardly compatible with existing software—there should be no need to upgrade or patch software to use the security token.
    * Users with profiles with login IP range restrictions will be exempt from having to take additional steps.
    * These features will not be enabled for organizations that implemented single sign-on using delegated authentication.

Thank you for your help in keeping your company and your users safe from phishing attacks. If you have additional questions, please contact salesforce.com support.

Sincerely,

Parker Harris
EVP Technology
Salesforce.com

New Approach to Lookups?

It appears that a new approach to lookups maybe on the horizon. In a recent post on the Successforce Blog Emily Liggett from the Salesforce.com User Experience team talks about some ideas that are being tested in an attempt to improve this functionality. I have always thought the current lookup process of clicking on the magnifying glass icon to launch a new window to search for a record simply took too long. It was one of those things that you just accept when using a web application because of all the other inherent benefits an online system has to offer.

Well, this trade-off may no longer be one we have to settle for. It looks like the preferred future approach may be having an auto-complete box. Imagine being able to just start typing the name of a record you are looking for and a drop down appears that starts displaying possible matches and narrowing them down as you type. Hopefully this is a feature that we will see in spring or summer of 2008. If you have a Firefox 2.0+ browser you can take a test drive of this prototype by clicking here. It will unfortunately not work with Microsoft Internet Explorer.

MyLoanBiz for Salesforce.com Winter '08 Release is Here!

It has been a long time coming but it is finally here and we believe it was well worth the wait. This is our biggest release ever and fundamentally changes the way our users will utilize our application. Here is a quick snippet of some of the new features we have added (many of which we have highlighted on this blog over the last few weeks):

  Contact Object Features

• Contact List View Button - Change Owner
• Contact List View Button - Mass Update
• Contact List View Button - Mass Delete
• New Referral Source button

Deal Object Features

• Deal Detail Page Button - Convert
• Deal Detail Page Button - Close Out
• Deal Detail Page Button - Email Borrower
• Deal List View Button - Mass Email
• Deal List View Button - Mass Delete
• Deal List View Button - Change Status
• Deal List View Button - Change Product

This update is available to all current MyLoanBiz for Salesforce.com customers who are on a managed package release of our application. In order to receive this upgrade you need to install the MyLoanBiz for Salesforce.com Winter '07 managed package on your account. This is a relatively simple process and all you have to do is email us at support@myloanbiz.com to request your upgrade and we will email you back a link to the package install site along with the release notes.