Authentication Overview

To allow users to sign in quickly and reduce authentication errors, the Veeva CRM app supports the following authentication methods:

Session Management

For offline (mobile) devices, each customer configures their own security policy, including session expiration, in their Salesforce org. When end users download and sign into the Veeva CRM app, they provide their credentials. The CRM app logs into Salesforce using the credentials.

Users of offline (mobile) devices can access certain CRM functionality without an internet connection or an established connection to Salesforce. However, a valid Salesforce session is required to sync data.

Each time the CRM app accesses data in Salesforce, the application needs a valid Salesforce session to query that data. If the application does not have a valid session, it uses the local user’s credentials to establish a new Salesforce session.

If the session expires based on the configured session timeout in Salesforce, the application attempts to reconnect using the cached credentials. This allows the application to automatically send data to Salesforce or access modules that require an internet connection without prompting the user to sign in again.

If a user signs out of the CRM app while on an offline (mobile) device, the Salesforce session expires and the user is signed out.

If a password changes or is expired, the offline (mobile) application cannot establish a valid Salesforce session; the user needs to go online to update their password in Salesforce. The next time the CRM app tries to connect with Salesforce on the offline (mobile) device, the user is prompted to enter the new credentials. Once signed in with a successful connection, the new credentials are written to the respective local data stores.

See OAuth for more information.

See Delegated Authentication for more information.

Requiring Multi-Factor Authentication for Salesforce

Salesforce has announced that with their Spring '24 release, they will require multi-factor authentication (MFA) for all direct UI logins to your Salesforce orgs. The Spring ‘24 release rolls out between January 12 and February 10, 2024.

MFA is available at no extra cost and provides the highest level of security for Veeva CRM. See the Salesforce announcement for more information.

Veeva CRM was reviewed and tested with Salesforce MFA enabled. Veeva CRM on Browser, iOS, Windows, and WeChat platforms all support MFA without configuration changes.

To enforce MFA on iOS platforms, see Signing In with MFA and Custom Domain for more information.

When enabling MFA for users signing in with the existing authentication method, do not perform the following steps: Select the Multi-Factor Authentication for API Logins check box for user profilesSet the Session Security Level Required at Login session setting to High Assurance on user profiles Performing either of these steps prevents usage of Veeva CRM and potentially impacts custom integrations with Salesforce. This does not affect users signing in with the Use Custom Domain link.

Enabling Multi-Factor Authentication for SSO

If customers enable MFA for their SSO identity providers, they do not need to enable Salesforce's MFA for their SSO users.

Some customers have reported that while their users can successfully log into Veeva CRM on their iOS devices using SSO with the MFA challenge of their identity provider, they are still being prompted to activate the Salesforce Authenticator when choosing to Go Online from the app. Salesforce recommends enabling the Waive Multi-Factor Authentication for Exempt Users permission as a temporary workaround when users are prompted for an additional MFA step for SSO login through a mobile app, even when the org complies with the MFA requirement by enabling MFA for the SSO provider.

Completing Multi-Factor Authentication Challenges

After MFA is enabled, Veeva CRM users must complete an MFA challenge when signing in, depending on the platform and authentication method. The MFA challenge is a secondary method of verification to provide an extra layer of protection. The following table specifies which supported platforms and authentication methods require users to complete an MFA challenge:

OAuth and Custom Domain are not supported on the Windows Tablet platform. Federated SAML authentication is supported on iOS platforms when using Custom Domain.


Authentication Method

Supported MFA Methods



MFA not supported


  • Salesforce credentials
  • Delegated authentication using Veeva's username and password fields

MFA not supported

SSO via OAuth 2.0

  • Salesforce MFA
  • Identity Provider MFA

SSO via Custom Domain

  • Salesforce MFA
  • Identity Provider MFA

Salesforce credentials via Custom Domain

Salesforce MFA


Salesforce credentials

Salesforce MFA

SSO via OAuth 2.0 or Custom Domain

  • Salesforce MFA
  • Identity Provider MFA