BUILD: The Dev Conference for AI & Apps (Nov. 12-14)

Hear the latest product announcements and push the limits of what can be done in the AI Data Cloud.

Product and Technology

Snowflake Strengthens Security with Default Multi-Factor Authentication and Stronger Password Policies

Icon representing 3 sheets of stacked paper next to a shield icon with a lock symbold on it.

Snowflake has always been committed to helping customers protect their accounts and data. To further our commitment to protect against cybersecurity threats and to champion the advancement of industry standards for security, Snowflake recently signed the Cybersecurity and Infrastructure Security Agency (CISA) Secure By Design Pledge. In line with CISA’s Secure By Design principles, we recently announced a number of security enhancements in the platform — most notably the general availability of Trust Center and a new multi-factor authentication (MFA) policy. As part of our continuing efforts, we are announcing that MFA will be enforced by default for all human users in any Snowflake account created as of October 2024. Service users — accounts designed for service-to-service communication — will not be subject to this MFA requirement.

To help you further strengthen your security posture, starting in October, we will also require both newly created and altered user passwords to:

  • Have a minimum length of 14 characters, up from 8

  • Not be any of the last five passwords used 

The rollout for these changes will follow the standard protocol in Snowflake’s Behavior Change Policy (BCR)

What else can I do to enforce stronger authentication in Snowflake?

For existing Snowflake customers, we strongly recommend following the Snowflake security best practices in this white paper, including leveraging the Trust Center Security Essentials scanner package to look for compliance with MFA and the use of network policies. 

Additionally, we recommend the below to enforce stronger authentication: 

  • For human users:

    • We recommend using single sign-on (SSO) when possible and enabling MFA through your Identity Provider (IDP).

    • If SSO is not possible or MFA cannot be enabled through the IDP, or for break-glass scenarios, we recommend using Snowflake’s built-in MFA.

  • For service users: 

    • We recommend using external OAuth when possible, and if not, using key pair authentication to eliminate passwords altogether for such users. We strongly advise enabling network policies when using key pair authentication and, in general, to enable network policies for all user types, not just service users.

If you are using popular apps, such as PowerBI, dbt, Tableau or others, to connect to Snowflake, it is vital to configure them to use either external OAuth or key pair authentication (alongside a network policy). The proper configuration steps will depend on the particular app, so you will need to consult the provider for specifics (e.g., see the instructions for Tableau and dbt). If the app does not support Snowflake’s recommended authentication methods, please contact the app provider and also inform your Snowflake account team. Snowflake is working closely with our partner ecosystem so that their tooling and apps are ready for stronger authentication methods. 

What’s next?

To continue making Snowflake more secure by default, we are working on extending these stronger authentication policies to all existing Snowflake accounts — with the eventual expectation to completely eliminate password-only sign-ins to Snowflake. 

If you have further questions, please reach out to your Snowflake account team. 

 

Snowflake Security icon with shield

Best Practices to Mitigate the Risk of Credential Compromise

Learn how to leverage Snowflake native platform features to enforce strong authentication and mitigate the risks of credential theft.
Share Article

Subscribe to our blog newsletter

Get the best, coolest and latest delivered to your inbox each week

Start your 30-DayFree Trial

Try Snowflake free for 30 days and experience the AI Data Cloud that helps eliminate the complexity, cost and constraints inherent with other solutions.