If you're a customer using Snowflake, get ready for a massive update regarding authentication policies. By April 2025, it will be mandatory for all human users on Snowflake to use multi-factor authentication (MFA) and start the phase-out of password-based logins for legacy service accounts.
MFA is a security process that requires more than one way to verify a user's identity and helps to secure and govern your data
Because MFA employs multiple types of verification to improve security, the risk of unauthorized access is greatly diminished, and data governance is, therefore, strengthened. This transition in no way indicates one more enhancement but rather indicates a remarkable overhaul with an impact on user authentication.
Unprepared organizations will face disruptions in accessibility, the risk of property, and compliance. Because of these challenging complications, organizations must prepare now for an ideal shift by channeling their attention toward newer authentication policies, adjusting their credentials, and facilitating the easy shift to MFA.
Key Changes and Their Impact
MFA Becomes Mandatory for Human Users (TYPE=PERSON or NULL)
If your Snowflake user account relies on password-based authentication, you will be required to enable MFA. This affects:
Users logging in via Snowflake’s built-in authentication
Users accessing Snowflake via third-party applications that still use passwords
Organizations that have already implemented a custom authentication policy, such as Single Sign-On (SSO) or key-pair authentication, will not be affected by this requirement. However, if their custom authentication policy still permits password-based sign-ins, those users will be required to enroll in MFA by August 2025.
End of Password-Based Authentication for Legacy Service Users (TYPE=LEGACY_SERVICE)
Legacy service users are temporarily exempt and can continue using passwords until November 2025. However, after that date:
All LEGACY_SERVICE users will be converted to SERVICE
Passwords will no longer be supported
Organizations must transition these users to key-pair authentication or OAuth before the deadline
LEGACY_SERVICE users will also lose access to Snowsight in August 2025. If you rely on password-based automation, ETL jobs, or integrations, you’ll need to start planning a migration strategy now to avoid disruptions.
Trial Users Converting to Paid Accounts
If a Snowflake trial account is upgraded to a paid plan, MFA requirements will be automatically enforced for all human users.
Who Is Unaffected by These Changes?
Service Users (TYPE=SERVICE)
SERVICE users already authenticate without passwords and are not impacted by these changes
They will continue using key-pair authentication or OAuth, and MFA does not apply
Reader Users
Reader accounts are exempt from the MFA requirement
Trial Accounts
MFA does not apply unless the trial account is converted to a paid account
How to Prepare for These Changes
For Organizations Using External Applications
While Snowflake is enforcing MFA for human users, not all external applications currently support MFA-based authentication. Some third-party tools still rely on password-based authentication, which may cause compatibility issues.
Ensure third-party applications are configured and able to use key-pair or OAuth authentication
Check with application providers for guidance on updating authentication methods
If an application does not support Snowflake’s required authentication methods, contact the provider and inform your Snowflake account team for potential solutions
For Human Users
Identify all TYPE=PERSON or NULL users
Enable MFA for all human users that log in with a password.
Consider migrating to Single Sign-On (SSO) to streamline authentication and remove password dependency.
For Organizations Using Legacy Service Users
Identify all TYPE=LEGACY_SERVICE users still using passwords
Plan a transition to key-pair authentication or OAuth before November 2025
Test authentication updates in a development environment before making changes in production
For Organizations With Trial Accounts
Ensure that your team is prepared for MFA enforcement upon upgrading to a paid account
Script Examples
Timeline Provided by Snowflake
This timeline details key dates and actions (source).
How Keyrus Can Help
We understand that security changes can be disruptive. Our team is here to make the transition smooth and efficient by:
Assessing Your Authentication Setup - We analyze your current authentication methods and identify users affected by these changes
Implementing MFA Without Disruptions - We help roll out MFA with minimal impact on your workflows
Migrating Legacy Service Users - We ensure your Legacy Service users transition smoothly to Service users (TYPE=SERVICE) with key-pair authentication or OAuth
Setting Up SSO and Authentication Policies for Seamless Access - We help organizations shift from passwords to Single Sign-On for better security and ease of use
Ensuring Third-Party Applications Remain Functional - We assess how your Snowflake-connected applications authenticate and help implement secure alternatives if they don’t support MFA
Snowflake’s new security policies are happening soon. If your organization still relies on password-based authentication, now is the time to prepare. Keyrus is ready to help you navigate these changes. Contact our Data and Snowflake teams today to discuss the best strategy for your organization.