MFA_AUTHENTICATION_METHODS in authentication policy now only includes PASSWORD by default (Pending)

Attention

This behavior change is in the 2025_04 bundle.

For the current status of the bundle, refer to Bundle History.

Note

Previously, this behavior change included the deprecation of the MFA_AUTHENTICATION_METHODS parameter. This deprecation has been postponed to a future bundle.

This change modifies the default behavior of multi-factor authentication (MFA) enforcement when no authentication policy is set, and for newly created authentication policies. Existing authentication policies are not affected.

Before the change:
  • When no authentication policy is set, Snowflake enforces MFA on password and single-sign on (SSO) logins.

  • CREATE AUTHENTICATION POLICY commands that do not set a value for the MFA_AUTHENTICATION_METHODS parameter create a policy with MFA_AUTHENTICATION_METHODS = ('PASSWORD',  'SAML'), requiring MFA for both password and SSO logins.

After the change:
  • When no authentication policy is set, Snowflake enforces MFA only on password logins and not on SSO logins.

  • CREATE AUTHENTICATION POLICY commands that do not set a value for the MFA_AUTHENTICATION_METHODS parameter create a policy with MFA_AUTHENTICATION_METHODS = ('PASSWORD'), enforcing MFA only on password logins and not on SSO logins.

  • Existing authentication policies keep their current MFA_AUTHENTICATION_METHODS settings. Only new policies use the updated defaults.

To check your current authentication policy settings:

  1. List all authentication policies in your account:

    SHOW AUTHENTICATION POLICIES IN ACCOUNT;
    
    Copy
  2. View the detailed settings for a specific policy:

    DESCRIBE AUTHENTICATION POLICY <policy_name>;
    
    Copy
  3. View the policy assigned to a user:

    SHOW AUTHENTICATION POLICIES ON USER <user_name>;
    
    Copy

Ref: 1971