The New Strong Authentication Hub: Streamlining the Transition to Mandatory MFA

The rapid evolution of identity-based threats has made it clear that the traditional password-only login is no longer optimal. Credential abuse is a major vector for cyberattacks — in fact, it is the top reason for unauthorized access, according to the Verizon 2025 Data Breach Investigations Report.

For us at Snowflake, the security capabilities of the Snowflake AI Data Cloud are paramount, and single-factor password authentication may be appropriate for certain use cases, but it no longer provides the level of rigor many of our customers demand for enterprise data protection.

As part of our shared destiny model with customers, we are deprecating both single-factor password authentication to our core platform and the LEGACY_SERVICE user type. The final phase of this enforcement is scheduled to take place between August and October 2026, and you can find more details in the Snowflake Documentation. To make this process easy for customers, we are launching the Strong Authentication Hub.

Introducing the Strong Authentication Hub

While many customers have already taken action to transition to stronger authentication, the final enforcement dates are fast approaching. To ensure a smooth transition, we have released the Strong Authentication Hub, a dedicated experience within Snowsight UI designed to give customers visibility and control as we roll out enforcement.

Enforcing multi-factor authentication (MFA) for password-only authentication may not be as simple as flipping a switch. Large accounts often have complex authentication scenarios for human users and service integrations. As a result, even before enforcement reaches your account, you’ll need to answer some critical technical questions:

• Which users are still logging in with only a password via specific applications (such as Power BI, Tableau and so on)?
• Which service accounts are still utilizing the LEGACY_SERVICE type?
• Which users are stale (have not logged in for 90 days) and could, therefore, represent an unmonitored attack surface?

We designed the new experience within Snowsight to serve as a central command center for the upcoming enforcement phases. Our goal is to turn a complex security mandate into a manageable, step-by-step engineering task by providing the telemetry and tools necessary to manage the transition.

The hub operates as a dedicated interface in Trust Center (found under the Governance and Security menu) and uses automated scanners to evaluate your account's readiness.

The Strong Authentication Hub’s key technical capabilities include:

• Readiness visibility: The hub provides admins with clear metrics on account readiness for the upcoming MFA enforcement. It offers a live, actionable path to enable compliance before deadlines.
• Risk identification: The hub automatically surfaces potential issues, such as:
  • Users who, in the last 90 days, have authenticated using password-only methods.
  • Inactive users who haven't logged in for over 90 days.
  • Users utilizing stronger methods, such as OAuth, but who still have an active legacy password that is unprotected by MFA.
• Remediation guidance: For every identified "issue," the hub provides specific technical playbooks. This includes guidance on migrating service users to Workload Identity Federation (WIF) or enrolling "break-glass" accounts in MFA OTP.
• Enforcement lifecycle management: View your specific enforcement timeline and use the Manage Extension feature if your organization requires more time to migrate complex workloads.

How to get started now

Start auditing your environment today:

1. Navigate: Go to Governance & Security > Trust Center in Snowsight. Click on the View Hub button in the Strong Authentication Progress tile.
2. Audit: Review the By Issue or By User views to prioritize users at risk of authentication disruption.
3. Act: Use the provided guidance on available options to address issues for users identified as being at risk.

We encourage all administrators to navigate to the Strong Authentication Hub. The road to multi-factor authentication starts with visibility, and we have built this hub to help you lead the way. By moving toward stronger authentication today, you aren't just meeting a deadline; you are hardening your data infrastructure against the next generation of credential-based threats.

Looking forward

As we look at longer industry trends, the concept of identity is evolving from static credentials to dynamic, secretless authentication. At Snowflake, we are committed to making enterprise AI easy and secure, which means removing the burden of password management from both developers and administrators.

Next on our horizon is deeper integration for secretless workflows via Workload Identity Federation, further reducing reliance on long-lived credentials.