What’s with the verification code ? Why is my Salesforce asking for it so many times ?

With the Spring ‘16 release, Salesforce has upped the security of a login. They decided that the credentials and the IP address that a user logs in from is just not enough to verify that the person logging in is the actual user. Now, they’ve added the browser to the list of things that are verified when you login. What happens is that, Salesforce checks the credentials, the IP address and the browser cookies to check if there have been previous logins with the same combo. If not, a verification code is sent to your email id/mobile. This security structure actually makes it less likely for someone to login, even if they have your Salesforce credentials.

The mechanism to authenticate with verification codes was always there. People with trusted IP ranges on their Org would’ve come across it when trying to login from a different network. It’s just that now, it’s asked for more frequently than earlier.

https://releasenotes.docs.salesforce.com/en-us/spring16/release-notes/rn_security_auth_stop_trusting_ip.htm

How do I stop it ?

Short answer, you can’t. But, you can reduce the frequency of the verification code request depending on how your company uses Salesforce.

1. If your company/office has a specific range of IP addresses that it uses for it’s network, you’re in luck. Talk to your network/IT team, and once you have the IP range, add it to the trusted IP ranges under Setup > Security Controls > Network Access
2. If you’re someone who travels a lot, try to get a VPN. Logging in from a VPN into Salesforce uses the IP address of the VPN network and makes Salesforce think that you are logging in from the company’s network.
3. This one is important: Make sure that browser cookies are not erased when you close the browser. When there isn’t a possibility of adding IP ranges or using VPN, this one step is a must. When you login for the first time from a new browser or a new unauthenticated IP (after verification, of course), the browser cookies keep info of the login. At the next login from the same browser, the cookies are checked for a previously successful login. So do not clear cookies. Some companies have a policy of clearing cookies on company computers for security reasons. Talk to your IT team to see if there can be an exception made.
4. Get the Salesforce Authenticator app. This doesn’t really make the verification code request go away, but at least you don’t have to wait for the code.

https://help.salesforce.com/apex/HTViewSolution?id=000232553

I want the code to be sent to my email and not my phone (or vice versa, or both)

You can choose to receive verification codes on your phone or your email or on both. Every user that exists on Salesforce has two fields- email and mobile phone. Now, the mobile phone field is not mandatory, so many users may not have it filled. When Salesforce wants to send a verification code, it checks whether you have a mobile number entered in your user record and sends it to that number. If there isn’t a number, it will send the verification code to the email of the user (it’s a mandatory field, so every user’s got one). You can choose to get the code on both email and phone. Just check this permission on your profile- Email-Based Identity Confirmation.

https://help.salesforce.com/HTViewSolution?id=000198756&language=en_US

I’m not getting the verification code !

Here, you need to first check where you get the verification code. The best place to find out if the verification code was sent and where it was sent is from the Setup > Identity Verification History section.

https://help.salesforce.com/apex/HTViewHelpDoc?id=security_verification_history.htm&language=en_US

If you were asked for a verification code, there will be an entry here next to your username. Check the “Method” column to see if it was sent as a text message or an email. If it was sent as a text message, make sure that your phone number is correct. Sometimes the format of the phone number would be incorrect and the verification code doesn’t really reach the phone. The appropriate format for the phone number is something like +44 1234567890. Re-register your phone if this is the case. You can also have the phone number removed for the time being to get the code on your email id.

If it’s sent to your email, check the spam folder of your inbox or talk to your IT team to see if they have any security policy blocking these emails.

What about Salesforce1 ?

Salesforce1 clears the cookies when a user logs out of the app. Logout is different from just minimizing the app in the background. Once a logout from the app happens, the cookies on the app are cleared and you will be asked for a verification code on the next login. This happens on every logout/login. Talk to your Salesforce administrator about setting up the app so that the Salesforce1 doesn’t get logged out automatically.