User can use expired password on logging in via Salesforce1
Last updated 2022-02-10 ·Reference W-2648624 ·Reported By 3 users
When signing into a Connected App (such as Salesforce1) the check for an expired password for the user is not occurring. The user will still be able to log in successfully to a Connected App whereas they will be prompted to reset their password if they log in through a desktop browser.
This is an issue specific to the Access Token that is provided during the initial login, and should not to be confused with the Refresh Token which does not check for an expired password by design.
1) As a System Administrator reset all user passwords by navigating to Setup > Security Controls > Expire All Passwords.
2) Do a new login as any user through a Connected App (Salesforce1). Notice the login is successful.
3) Try the same login through the full site in a desktop browser. User will be prompted to change their password as expected.
The only work around at this time is to use the Salesforce1 Mobile Browser app instead of the downloadable application.
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.