Skip to content
Product and Technology
MAY 30, 2025|3 min read

Snowflake Expands Supported MFA Methods and Makes Them Available by Default Everywhere

Earlier this year, we announced a multiphased plan to block single-factor password sign-ins. Starting in May, multi-factor authentication (MFA) will be enforced on all password sign-ins to Snowsight UI for human users as part of BCR 2025_04. Password sign-ins outside of Snowsight, such as those in BI tools like PowerBI, will be exempted from this policy. However, this exemption is temporary and will be lifted by March 2026, when Snowflake will enforce MFA on all surfaces. The MFA enforcement on Snowsight rollout will follow the Snowflake Behavior Change Management process. 

We are also announcing the general availability of new MFA methods: authenticator apps and passkeys. To support existing business intelligence apps that don’t yet support MFA login, we are launching programmatic access tokens (PATs) as a drop-in replacement for passwords. 

Note that Snowsight MFA enforcement will not affect single sign-on users using SAML or OAuth, or legacy service users. Managed accounts and trial accounts are not included in this rollout. 

Addressing customer MFA concerns with new capabilities 

To better understand the challenges of enabling MFA, we interviewed more than 100 customers. These conversations identified two key product enhancements:

  • Alternative MFA methods: Customers told us that they want to be able to use their existing, approved MFA methods with Snowflake.

  • Solution for business intelligence apps that do not currently support MFA: Customers asked us to provide a solution for applications that support only passwords.

We are happy to announce general availability of four products that address these concerns:

  • Support for passkeys: Based on the industry-wide standards established by FIDO, passkeys allow signing into Snowflake with the same process that users use to unlock their device (biometrics, PIN, security keys). Note that passkeys are supported only as a secondary authentication factor in addition to username and password.

  • Support for authenticator apps: Based on the industry standard Time-Based One-Time Password (TOTP), users can now use their existing approved authenticator apps (like Microsoft or Google authenticator apps) to access Snowflake via MFA.
  • Support for programmatic access tokens: We introduced PATs as a solution for programmatic access to Snowpark Container Services (SPCS) and Snowflake REST APIs. PATs can also be a drop-in replacement for passwords for apps that support only username and password authentication. PATs raise the security bar because by default they are tied to specific roles, have an expiration date and must be used in tandem with a network policy. We recommend creating separate PATs for different use cases to minimize the blast radius in case of PAT compromise.

  • Support for OAuth in Snowflake drivers: To simplify migration to federation, we are introducing native support for OAuth in ODBC, JDBC and Python drivers (all generally available). We plan to expand this support to all other drivers in the upcoming months. By using Snowflake OAuth alongside the new “local application” OAuth configuration, the drivers can natively support new MFA methods, including passkeys and authenticator apps.

What should you do?

Check the list of affected users in your Snowflake account by visiting the new Risky Human User scanner in the Trust Center Threat Intel package. We recommend following our best practices for migration from single-factor authentication to mitigate any findings. If you have concerns or questions, please reach out to your account representative or contact Snowflake support. 

What’s next?

As announced previously, Snowflake will deprecate single-factor password sign-ins soon. Get ahead of the curve and start your user migration today by following our best practices for migration from single-factor authentication. 

Forward Looking Statements

This article contains forward-looking statements, including about our future product offerings, and are not commitments to deliver any product offerings. Actual results and offerings may differ and are subject to known and unknown risk and uncertainties. See our latest 10-Q for more information.

 

Resources

Best Practices for Migration from Single-Factor Authentication

Learn how to leverage Snowflake capabilities to enforce strong authentication and mitigate the risks of credential theft.
Share Article

RelatedContent

Snowflake Strengthens Security with Default Multi-Factor Authentication and Stronger Password Policies

MFA will be enforced for all human users in any Snowflake account created in October 2024. Learn how to prepare for the upcoming changes.

Shared Destiny with Snowflake Horizon Catalog Built-In Security

Through Horizon Catalog security capabilities, empower security admins and CISO’s to better protect environments and centralize threat monitoring and RBAC.

Snowflake Admins Can Now Enforce Mandatory MFA

Learn about new capabilities that help Snowflake users prompt for multifactor authentication and enforce MFA compliance.

Snowflake Will Automatically Disable Passwords Detected on the Dark Web

Snowflake enhances security with Leaked Password Protection (LPP), monitoring and automatically disabling passwords found on the dark web.

What’s New in Security: Proactive Security for Data and AI, Enterprise-Grade Defense In Depth and More

Explore Snowflake's latest security innovations, including MFA, malicious IP protection and private connectivity, designed to build a trusted AI Data Cloud.

Automatic Encryption of Data

One of the biggest concerns about moving to the cloud is security. Snowflake provides automatic data encryption by default. Learn more.

Snowflake Advances Cybersecurity Excellence by Joining CISA Secure by Design Pledge

Snowflake is proud to join the CISA Secure By Design Pledge, reinforcing our commitment to cybersecurity excellence.

Snowflake Expands Compliance Certifications in Germany

Snowflake's new compliance certifications in Germany, C5 Type 2 and TISAX AL3, enable top-notch data integrity, security and governance for customers.

New Snowflake Deployments: Kingdom of Saudi Arabia and Zurich

Snowflake expands to Zurich and Kingdom of Saudi Arabia, unifying experiences, and driving innovation in data and AI/ML apps worldwide.

Subscribe to our blog newsletter

Get the best, coolest and latest delivered to your inbox each week

Where Data Does More

  • 30-day free trial
  • No credit card required
  • Cancel anytime 
start for free
watch a demo