MFA_AUTHENTICATION_METHODS in authentication policy now only includes PASSWORD by default (Pending)¶
Attention
This behavior change is in the 2025_04 bundle.
For the current status of the bundle, refer to Bundle History.
Note
Previously, this behavior change included the deprecation of the MFA_AUTHENTICATION_METHODS parameter. This deprecation has been postponed to a future bundle.
This change modifies the default behavior of multi-factor authentication (MFA) enforcement when no authentication policy is set, and for newly created authentication policies. Existing authentication policies are not affected.
- Before the change:
When no authentication policy is set, Snowflake enforces MFA on password and single-sign on (SSO) logins.
CREATE AUTHENTICATION POLICY commands that do not set a value for the MFA_AUTHENTICATION_METHODS parameter create a policy with
MFA_AUTHENTICATION_METHODS = ('PASSWORD', 'SAML')
, requiring MFA for both password and SSO logins.
- After the change:
When no authentication policy is set, Snowflake enforces MFA only on password logins and not on SSO logins.
CREATE AUTHENTICATION POLICY commands that do not set a value for the MFA_AUTHENTICATION_METHODS parameter create a policy with
MFA_AUTHENTICATION_METHODS = ('PASSWORD')
, enforcing MFA only on password logins and not on SSO logins.Existing authentication policies keep their current MFA_AUTHENTICATION_METHODS settings. Only new policies use the updated defaults.
To check your current authentication policy settings:
List all authentication policies in your account:
SHOW AUTHENTICATION POLICIES IN ACCOUNT;
View the detailed settings for a specific policy:
DESCRIBE AUTHENTICATION POLICY <policy_name>;
View the policy assigned to a user:
SHOW AUTHENTICATION POLICIES ON USER <user_name>;
Ref: 1971