Snowflake Expands Supported MFA Methods and Makes Them Available by Default Everywhere

Earlier this year, we announced a multiphased plan to block single-factor password sign-ins. Starting in May, multi-factor authentication (MFA) will be enforced on all password sign-ins to Snowsight UI for human users as part of BCR 2025_04. Password sign-ins outside of Snowsight, such as those in BI tools like PowerBI, will be exempted from this policy. However, this exemption is temporary and will be lifted by March 2026, when Snowflake will enforce MFA on all surfaces. The MFA enforcement on Snowsight rollout will follow the Snowflake Behavior Change Management process. 

We are also announcing the general availability of new MFA methods: authenticator apps and passkeys. To support existing business intelligence apps that don’t yet support MFA login, we are launching programmatic access tokens (PATs) as a drop-in replacement for passwords. 

Note that Snowsight MFA enforcement will not affect single sign-on users using SAML or OAuth, or legacy service users. Managed accounts and trial accounts are not included in this rollout. 

Addressing customer MFA concerns with new capabilities 

To better understand the challenges of enabling MFA, we interviewed more than 100 customers. These conversations identified two key product enhancements:

• Alternative MFA methods: Customers told us that they want to be able to use their existing, approved MFA methods with Snowflake.

• Solution for business intelligence apps that do not currently support MFA: Customers asked us to provide a solution for applications that support only passwords.

We are happy to announce general availability of four products that address these concerns:

• Support for passkeys: Based on the industry-wide standards established by FIDO, passkeys allow signing into Snowflake with the same process that users use to unlock their device (biometrics, PIN, security keys). Note that passkeys are supported only as a secondary authentication factor in addition to username and password.

• Support for authenticator apps: Based on the industry standard Time-Based One-Time Password (TOTP), users can now use their existing approved authenticator apps (like Microsoft or Google authenticator apps) to access Snowflake via MFA.

• Support for programmatic access tokens: We introduced PATs as a solution for programmatic access to Snowpark Container Services (SPCS) and Snowflake REST APIs. PATs can also be a drop-in replacement for passwords for apps that support only username and password authentication. PATs raise the security bar because by default they are tied to specific roles, have an expiration date and must be used in tandem with a network policy. We recommend creating separate PATs for different use cases to minimize the blast radius in case of PAT compromise.

• Support for OAuth in Snowflake drivers: To simplify migration to federation, we are introducing native support for OAuth in ODBC, JDBC and Python drivers (all generally available). We plan to expand this support to all other drivers in the upcoming months. By using Snowflake OAuth alongside the new “local application” OAuth configuration, the drivers can natively support new MFA methods, including passkeys and authenticator apps.

What should you do?

Check the list of affected users in your Snowflake account by visiting the new Risky Human User scanner in the Trust Center Threat Intel package. We recommend following our best practices for migration from single-factor authentication to mitigate any findings. If you have concerns or questions, please reach out to your account representative or contact Snowflake support. 

What’s next?

As announced previously, Snowflake will deprecate single-factor password sign-ins soon. Get ahead of the curve and start your user migration today by following our best practices for migration from single-factor authentication. 

Forward Looking Statements

This article contains forward-looking statements, including about our future product offerings, and are not commitments to deliver any product offerings. Actual results and offerings may differ and are subject to known and unknown risk and uncertainties. See our latest 10-Q for more information.