Snowflake has announced a phased plan to eliminate single-factor password authentication by November 2025, enhancing account security and aligning with the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design principles.
Phased Implementation Timeline:
1. April 2025: Snowflake will implement a default authentication policy enforcing multi-factor authentication (MFA) for all human users during password-based sign-ins. Users without a custom authentication policy will be prompted to enroll in MFA upon their next login. Additionally, access to Snowsight will be blocked for users classified under the LEGACY_SERVICE type.
2. August 2025: MFA will become mandatory for all human users engaging in password-based sign-ins, regardless of any existing custom authentication policies.
3. November 2025: Snowflake will completely disable single-factor password authentication for all user types, including human and service users. The LEGACY_SERVICE user type will be deprecated, with all such users transitioned to the SERVICE user category.
User Classifications:
• Human Users: Individuals who access Snowflake interactively, designated in the user object with TYPE = PERSON or NULL.
• Service Users: Accounts utilized for programmatic access without interactive login, identified with TYPE = SERVICE or LEGACY_SERVICE. These users are exempt from MFA policies. SERVICE users are prohibited from using passwords, while LEGACY_SERVICE users have a temporary exception until their applications are updated.
Implications for Authentication Methods:
This policy change does not affect users authenticating via single sign-on (SSO) methods such as SAML or OAuth, nor those using key-pair authentication.
Support for Transition:
To assist customers in adapting to these changes, Snowflake has provided a white paper and a video migration guide. Additionally, the Trust Center features a Threat Intelligence scanner package to identify users at risk of losing access under the new policies.
Collaborations and Future Enhancements:
Snowflake is collaborating with partners, including Tableau, to ensure their solutions align with the enhanced authentication protocols. The company is also investing in additional security features, such as native support for passkeys and time-based one-time passwords (TOTP) compatible with authenticator apps. These initiatives complement existing capabilities like Leaked Password Protection and the Trust Center.
By phasing out single-factor password authentication, Snowflake aims to bolster data security and mitigate risks associated with credential theft, reinforcing its commitment to providing a secure platform for its users.
Source: https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification/