Monitoring the login history

Another metric that is useful for security purposes is the monitoring of every login attempt on your organization. With this metric, you know exactly who is logging in, how many times they have logged in, and from where they are logging in—for example, you can check whether your users are logging in from certain locations or using an out-of-policies browser.

Click on Setup | Identity | Login History to bring up the following page:

This page shows up to 20,000 login attempts over the last six months. If you need more, you can download a CSV or a zipped file.

We can even create a filtered list to show only a subset of the records (for example, only incorrect password login attempts).

Some of the relevant information on this page is as follows:

• Username
• Login Time
• Source IP: This is the IP from which the user has tried to log in. Use this information to find out whether you have a user accessing the organization outside the allowed and authorized locations (for example, check whether they are using the security token from an outside app).
• Location: This is the inferred location based on IP address information.
• Login Type: The kind of login used (for example, Application, Remote Access 2.0, OAuth, SAML)—that is, which methods are my users using?
• Status: Login status (Success or the reason for failure, such as Invalid Password or User Locked).
• Application: The kind of application used (Browser or any other custom app).
• Browser
• Platform: The kind of platform (for example, the operating system) used for login.
• Login URL: Which login endpoint has been used. You can monitor whether users are using the standard login page or the My domain URL.
• Community: The originating community.
• HTTP Method: Using the GET method should be avoided because it may inadvertently expose the user's username and password.

By creating a new list view, we can show more columns, such as the following:

• TLS Protocol: The encryption protocol used by a user's client application.
• Latitude and Longitude: The accuracy depends on various factors.
• Country, Country Code, City, Postal Code, and Subdivision: These are inferred from the geolocation:

The same information can be found on the user's record page in the Login History section.