Introduction
Snowflake is set to enhance its security measures by mandating multi-factor authentication (MFA) for all customer accounts by November 2025. This initiative is part of a broader effort to align with industry standards and improve protection against cyber threats.
Description
Snowflake will require all customers to enable multi-factor authentication (MFA) on their accounts by November 2025 [2], completely phasing out single-factor authentication using passwords. This policy aligns with the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design pledge [3] [4], which Snowflake signed in July [4]. Starting in April 2024 [2] [4], MFA will be the default for all new Snowflake accounts [3]. The implementation will occur in phases:
1 [3]. In April 2025 [2] [3] [4], all human users on accounts without a customized authentication policy will be required to enroll in MFA upon their next password-based sign-in [1] [3].
- By August 2025 [1] [3] [4], password-only sign-ins will be prohibited for all human users, regardless of any custom authentication policies [1].
- By November 2025 [1] [2] [3] [4], all sign-in attempts using single-factor authentication with passwords will be blocked for both human users and service accounts. Additionally, the LEGACY_SERVICE will be deprecated [1], with users migrated to SERVICE accounts, completing the transition to mandatory MFA for all users [1].
This initiative follows a series of cyberattacks earlier in the year that exploited the absence of MFA [2], affecting over 165 organizations [2], including Neiman Marcus [2], Ticketmaster [2] [3], and AT&T [2] [3], and resulting in significant data theft and extortion attempts [2] [4]. The mandatory MFA aims to enhance security and prevent similar incidents by providing an additional layer of protection against credential theft [3]. Snowflake has developed guides to assist organizations with this transition and offers a Threat Intelligence scanner package to identify users without MFA enabled [2].
Notably, the policy does not apply to customers using key-pair authentication or single sign-on methods such as SAML or OAuth [4]. Snowflake’s security capabilities are further supported by the Snowflake Horizon Catalog [3], which assists security administrators in safeguarding their security posture [3]. This approach reflects a broader trend among cloud service providers [4], with major companies like AWS [4], Google Cloud [4], and Microsoft Azure also planning MFA mandates by the end of 2025 [4]. Organizations are encouraged to review their user management and authentication methods before the 2025 deadline to ensure compliance and security.
Conclusion
The transition to mandatory MFA by Snowflake is a significant step towards bolstering cybersecurity and mitigating risks associated with credential theft. By aligning with industry standards and providing resources for a smooth transition, Snowflake aims to prevent future cyberattacks and enhance overall security. As other major cloud service providers follow suit, organizations must proactively adapt their authentication strategies to meet these evolving security requirements.
References
[1] https://insight.scmagazineuk.com/snowflake-to-block-single-factor-authentication-in-11-months
[2] https://www.darkreading.com/identity-access-management-security/snowflake-rolls-out-mandatory-mfa-plan
[3] https://www.infosecurity-magazine.com/news/snowflake-mfa-mandatory/
[4] https://www.cybersecuritydive.com/news/snowflake-authentication-policy-change/735099/
