Snowflake Will Block Single-Factor Password Authentication by November 2025

Earlier this year, Snowflake signed the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design pledge. As part of that commitment, we are announcing that by November 2025, Snowflake will block sign-ins using single-factor authentication with passwords.

This enhanced level of protection adds to the growing security capabilities of Snowflake Horizon Catalog, which empowers security admins and chief information security officers to better safeguard their security posture and mitigate risks of credential theft. It also follows our previous announcement that multi-factor authentication (MFA) will be the default for all password sign-ins in new Snowflake accounts created starting October 2024.

In order to hit this milestone, and to make sure we build a viable path for all customers to migrate, we are taking a phased approach. Before we expand on the phases, let’s lay down some taxonomy:

• Account: This refers to the container that contains various objects, such as tables, views, databases, schema and user accounts. See here for more information. 

• Users: This refers to objects that show the identities of people who can access customers’ accounts and the objects within them. See here for more information.

• Human users: This refers to users who are human and normally use an interactive login to sign in to Snowflake. Such users are declared in the Snowflake user object with TYPE = PERSON or NULL (by default is NULL). See here for more information.

• Service users: This refers to users that are used for programmatic access without interactive login. Such users are declared in the Snowflake user object with TYPE = SERVICE or LEGACY_SERVICE. Neither SERVICE nor LEGACY_SERVICE will be subject to Snowflake MFA policies. SERVICE users cannot use passwords to sign in. LEGACY_SERVICE is meant for applications that take longer to update and move away from passwords; as such, LEGACY_SERVICE has a temporary exception to use passwords until the app is updated. See here for more information.

Our phased approach will entail three stages:

1. April 2025: Enable for all accounts the default authentication policy, with MFA enforced on password sign-ins for human users. In this phase, all human users in accounts without a custom authentication policy will be required to enroll in MFA upon their next password-based sign-in to Snowflake. If an account already has a custom authentication policy at the time of this rollout, human users will not see a difference in their sign-in experience. At this time, we will also block access to Snowsight for LEGACY_SERVICE users.

2. August 2025: Enforce MFA on all password-based sign-ins for human users. In this phase, even if the customer has a custom authentication policy already defined, all human users will be required to use MFA when signing in with passwords. 

3. November 2025: Block sign-in to Snowflake using single-factor authentication with passwords for all users (human or service). In this phase, LEGACY_SERVICE is deprecated and all LEGACY_SERVICE users will be migrated to SERVICE users.

Note that these policies have no bearing on single sign-on users (using SAML or OAuth) or users using key-pair authentication. 

To help with migrations, we have created a white paper and an accompanying video migration guide.  We also added a new scanner package to the Trust Center called Threat Intelligence (generally available) that can quickly scan your account and find users that are at the risk of losing access (see here for step by step guidance). We have also been working with our partners and ecosystems — including Tableau — to help prepare their solutions for our vision for stronger authentication.

Snowflake will continue investing in the security capabilities of our customer accounts and bring more products and innovations to this space, such as native support for passkeys and time-based one-time password (TOTP) including authenticator apps. These will all work hand-in-hand with Snowflake’s other recently announced capabilities, including Leaked Password Protection, Trust Center, MFA policies, Programmatic Access Tokens (private preview soon) and many more. Stay tuned for updates!

Forward Looking Statements

This article contains forward-looking statements, including about our future product offerings, and are not commitments to deliver any product offerings. Actual results and offerings may differ and are subject to known and unknown risk and uncertainties. See our latest 10-Q for more information.