Multi-factor authentication (MFA)¶

Multi-factor authentication (MFA) reduces the security risks associated with password authentication. When a password user is enrolled in MFA, they must use a second factor of authentication when signing in to Snowflake. These users enter their password, and then use the second factor. For information about how a user adds an MFA method that they can use as a second factor of authentication, see Configuring a second factor of authentication.

MFA is intended for human users who authenticate with a password. Service users must use another form of authentication. For more information about these user types, see Types of users.

Important

To improve the security posture of all of its customers, Snowflake is rolling out changes to require MFA for all password sign-ins. For information about this rollout, see Planning for the deprecation of single-factor password sign-ins.

Requiring users to enroll in MFA¶

Currently, strategies for implementing MFA for your organization vary depending on whether or not an account existed when the 2024_08 behavior change bundle was enabled:

  • If an account existed before the 2024_08 bundle was enabled, then you must configure your account if you want to require human users to use MFA. For information about implementing MFA to require all human users to enroll in MFA, see Hardening user or account authentication using MFA.

  • If the account was created after the 2024_08 bundle was enabled, then all human users who authenticate with a password must enroll in MFA by default. This MFA requirement does not apply to service users.

    If you want to disable the requirement that all human users enroll in MFA, create a custom authentication policy with MFA_ENROLLMENT=OPTIONAL, and then set the authentication policy on the account. For more information about creating and setting authentication policies, see Authentication policies.

    Be aware that the ability to opt out of mandatory MFA is temporary; see Planning for the deprecation of single-factor password sign-ins.

Restricting which MFA methods are available¶

When a user is enrolled in MFA, they are required to use an MFA method as a second factor of authentication. Snowflake allows the following MFA methods:

  • Authenticating with a passkey that can be stored and accessed in a variety of ways.

  • Authenticating with an authenticator app that generates a time-based one-time passcode (TOTP).

  • Authenticating with Duo.

Tip

As you decide which MFA methods to allow, keep in mind the following:

  • Passkeys are recommended due to their security and usability.

  • Duo is not replicated like the other MFA methods.

As an administrator, you can use an authentication policy to control which MFA methods can be used as a second factor of authentication. For example, the following authentication policy allows users to use a passkey or authenticator app as their second factor of authentication, but not Duo:

CREATE AUTHENTICATION POLICY require_mfa_policy
  MFA_AUTHENTICATION_METHODS = ('PASSWORD')
  MFA_ENROLLMENT = REQUIRED
  MFA_POLICY = (ALLOWED_METHODS = ('PASSKEY', 'TOTP'));
Copy

If a user previously configured an MFA method that is now prohibited, the next time they sign in they’ll be prompted to authenticate using the pre-existing method, then prompted to configure a new, allowed method.

For more information about the MFA_POLICY parameter, see CREATE AUTHENTICATION POLICY.

Removing a user’s MFA methods¶

You can remove an MFA method that a user previously added so that they can no longer use it as their second factor of authentication.

  1. Execute the SHOW MFA METHODS command and find the value in the name column. For example, if you are removing an MFA method for a user joe, execute the following and copy the name of the MFA method from the output:

    SHOW MFA METHODS FOR USER joe;
    
    Copy
    +---------------+-----------------+------------------------+-------------------------------+---------------------------------+---------------------+
    |   name        |      type       |    comment             |     last_used                 |        created_on               |  additional_info    |
    +---------------+-----------------+------------------------+-------------------------------+---------------------------------+---------------------+
    | TOTP-48A7     |    TOTP         | Authenticator App 48A7 | 2025-02-26 11:14:38.000 -0800 |  2025-02-26 11:13:19.000 -0800  | null                |
    +---------------+-----------------+------------------------+-------------------------------+---------------------------------+---------------------+
    
  2. Execute an ALTER USER … REMOVE MFA METHOD statement to remove the MFA method:

    ALTER USER joe REMOVE MFA METHOD TOTP-48A7;
    
    Copy

Recovering a user who is locked out¶

If a password user is locked out of Snowflake because they don’t have access to a second factor of authentication, an administrator can help them recover the ability to sign in by temporarily disabling MFA or by helping the user set up a new MFA method.

Prompt user to add a new MFA method¶

If a user loses access to the MFA method that they use as their second factor of authentication (for example, by losing the YubiKey that stores their passkey), an administrator can help the user set up a new MFA method so that they can sign in to Snowflake.

When a user does not have access to their MFA method and needs to set up a new one, the administrator executes an ALTER USER … ENROLL MFA statement. For example, if user joe needs to establish a new MFA method, the administrator can execute the following:

ALTER USER joe ENROLL MFA;
Copy
  • If the user has a verified email, Snowflake sends an email prompting them to add an MFA authentication method.

  • If the user doesn’t have a verified email, Snowflake returns the URL of a page that prompts the user to add an MFA authentication method. Administrators can send this URL to the locked-out user.

Temporarily disable MFA¶

If an administrator needs to temporarily disable MFA for a user, they can execute an ALTER USER … SET MINS_TO_BYPASS_MFA statement. For example, to temporarily disable MFA so that user joe can authenticate with a single-factor password for 30 minutes, execute the following:

ALTER USER joe SET MINS_TO_BYPASS_MFA = 30;
Copy

Setting up administrators for break glass access¶

Break glass access refers to the ability to bypass normal authentication methods. Administrators need break glass access to Snowflake if normal authentication becomes unavailable, for example, if an organization’s identity provider goes down.

In many cases, organizations provide break glass access by creating a dedicated Snowflake user and storing their password credential in a cryptographic key vault. When MFA is enforced, every administrator who uses this password must have their own MFA method that they can use as a second factor of authentication. In these cases, Snowflake recommends that each administrator set up a TOTP MFA method so that they can use an authenticator app as their second factor. Using descriptive comments when configuring the MFA method can help distinguish between administrators.

Connecting to Snowflake with MFA¶

MFA login is designed primarily for connecting to Snowflake through the web interface, but is also fully-supported by SnowSQL and the Snowflake JDBC, Node.js, and ODBC drivers.

Using MFA token caching to minimize the number of prompts during authentication — optional¶

MFA token caching can help to reduce the number of prompts that must be acknowledged while connecting and authenticating to Snowflake, especially when multiple connection attempts are made within a relatively short time interval.

A cached MFA token is valid for up to four hours.

The cached MFA token is invalid if any of the following conditions are met:

  1. The ALLOW_CLIENT_MFA_CACHING parameter is set to FALSE for the account.

  2. The method of authentication changes.

  3. The authentication credentials change (i.e. username and/or password).

  4. The authentication credentials are not valid.

  5. The cached token expires or is not cryptographically valid.

  6. The account name associated with the cached token changes.

The overall process Snowflake uses to cache MFA tokens is similar to that used to cache connection tokens for browser-based federated single sign-on. The client application stores the MFA token in the keystore of the client-side operating system. Users can delete the cached MFA token from the keystore at any time.

Snowflake supports MFA token caching with the following drivers, connectors, and tools on macOS and Windows. This feature is not supported on Linux.

  • Snowflake CLI version 3.0 (or later)

  • ODBC driver version 2.23.0 (or later).

  • JDBC driver version 3.12.16 (or later).

  • Python Connector for Snowflake version 2.3.7 (or later).

Snowflake recommends consulting with internal security and compliance officers prior to enabling MFA token caching.

Tip

MFA token caching can be combined with connection caching in federated single sign-on.

To combine these two features, ensure that the ALLOW_ID_TOKEN parameter is set to true in tandem with the ALLOW_CLIENT_MFA_CACHING parameter.

To enable MFA token caching, complete the following steps:

  1. As an account administrator (i.e. a user with the ACCOUNTADMIN system role), set the ALLOW_CLIENT_MFA_CACHING parameter to true for an account using the ALTER ACCOUNT command.

    ALTER ACCOUNT SET ALLOW_CLIENT_MFA_CACHING = TRUE;
    
    Copy
  2. In the client connection string, update the authenticator value to authenticator = username_password_mfa.

  3. Add the package or libraries needed by the driver or connector:

    • If you are using the Snowflake Connector for Python, install the optional keyring package by running:

      pip install "snowflake-connector-python[secure-local-storage]"
      
      Copy

      You must enter the square brackets ([ and ]) as shown in the command. The square brackets specify the extra part of the package that should be installed.

      Use quotes around the name of the package as shown to prevent the square brackets from being interpreted as a wildcard.

      If you need to install other extras (for example, pandas for using the Python Connector APIs for Pandas), use a comma between the extras:

      pip install "snowflake-connector-python[secure-local-storage,pandas]"
      
      Copy
    • For the Snowflake JDBC Driver, see Add the JNA classes to your classpath.

To disable MFA token caching, unset the ALLOW_CLIENT_MFA_CACHING parameter:

ALTER ACCOUNT UNSET ALLOW_CLIENT_MFA_CACHING;
Copy

To find all users who use MFA token caching as the second-factor authentication to log in, you can execute the following SQL statement as an account administrator (a user with the ACCOUNTADMIN role):

SELECT EVENT_TIMESTAMP,
       USER_NAME,
       IS_SUCCESS
  FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
  WHERE SECOND_AUTHENTICATION_FACTOR = 'MFA_TOKEN';
Copy

Using MFA with SnowSQL¶

MFA can be used for connecting to Snowflake through SnowSQL. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA.

To use a Duo-generated passcode instead of the push mechanism, the login parameters must include one of the following connection options:

--mfa-passcode <string> OR --mfa-passcode-in-password

For more details, see SnowSQL (CLI client).

Using MFA with JDBC¶

MFA can be used for connecting to Snowflake via the Snowflake JDBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the JDBC connection string are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be included in the JDBC connection string:

passcode=<passcode_string> OR passcodeInPassword=on

Where:

  • passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.

  • If passcodeInPassword=on, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see JDBC Driver.

Examples of JDBC connection strings using Duo¶

JDBC connection string for user demo connecting to the xy12345 account (in the US West region) using a Duo passcode:

jdbc:snowflake://xy12345.snowflakecomputing.com/?user=demo&passcode=123456
Copy

JDBC connection string for user demo connecting to the xy12345 account (in the US West region) using a Duo passcode that is embedded in the password:

jdbc:snowflake://xy12345.snowflakecomputing.com/?user=demo&passcodeInPassword=on
Copy

Using MFA with Node.js¶

MFA can be used for connecting to Snowflake through the Snowflake Node.js driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA.

To use a Duo-generated passcode instead of the push mechanism, the login parameters must include one of the following connection options. Both examples use a password of abc123 and MFA passcode of 987654 to demonstrate the configuration.

  • Set the passcodeInPassword option to true and include the passcode as part of the password string, similar to the following:

    authenticator: 'USERNAME_PASSWORD_MFA',
    password: "abc123987654", // passcode 987654 is part of the password
    passcodeInPassword: true  // because passcodeInPassword is true
    
    Copy
  • Set the passcode option to the value of the passcode to specify the password and the passcode separately, similar to the following:

    authenticator: 'USERNAME_PASSWORD_MFA',
    password: "abc123", // password and MFA passcode are input separately
    passcode: "987654"
    
    Copy

    To use this approach, ensure that the passcodeInPassword option is false (the default value). If both passcodeInPassword is set to true and passcode is also configured, the passcodeInPassword setting takes precedence and the driver assumes the password field contains both the password and the MFA passcode when authenticating.

For more details, see Use an MFA passcode.

Using MFA with ODBC¶

MFA can be used for connecting to Snowflake via the Snowflake ODBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the ODBC settings are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be specified for the driver:

passcode=<passcode_string> OR passcodeInPassword=on

Where:

  • passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.

  • If passcodeInPassword=on, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see ODBC Driver.

Using MFA with Python¶

MFA can be used for connecting to Snowflake via the Snowflake Python Connector. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the Python API calls are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be specified for the driver in the connect() method:

passcode=<passcode_string> OR passcode_in_password=True

Where:

  • passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.

  • If passcode_in_password=True, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see the description of the connect() method in the Functions section of the Python Connector API documentation.