Multi-factor authentication (MFA)¶
Multi-factor authentication (MFA) reduces the security risks associated with password authentication. When a password user is enrolled in MFA, they must use a second factor of authentication when signing in to Snowflake. These users enter their password, and then use the second factor. For information about how a user adds an MFA method that they can use as a second factor of authentication, see Configuring a second factor of authentication.
MFA is intended for human users who authenticate with a password. Service users must use another form of authentication. For more information about these user types, see Types of users.
Important
To improve the security posture of all of its customers, Snowflake is rolling out changes to require MFA for all password sign-ins. For information about this rollout, see Planning for the deprecation of single-factor password sign-ins.
Requiring users to enroll in MFA¶
Currently, strategies for implementing MFA for your organization vary depending on whether or not an account existed when the 2024_08 behavior change bundle was enabled:
If an account existed before the 2024_08 bundle was enabled, then you must configure your account if you want to require human users to use MFA. For information about implementing MFA to require all human users to enroll in MFA, see Hardening user or account authentication using MFA.
If the account was created after the 2024_08 bundle was enabled, then all human users who authenticate with a password must enroll in MFA by default. This MFA requirement does not apply to service users.
If you want to disable the requirement that all human users enroll in MFA, create a custom authentication policy with
MFA_ENROLLMENT=OPTIONAL
, and then set the authentication policy on the account. For more information about creating and setting authentication policies, see Authentication policies.Be aware that the ability to opt out of mandatory MFA is temporary; see Planning for the deprecation of single-factor password sign-ins.
Restricting which MFA methods are available¶
When a user is enrolled in MFA, they are required to use an MFA method as a second factor of authentication. Snowflake allows the following MFA methods:
Authenticating with a passkey that can be stored and accessed in a variety of ways.
Authenticating with an authenticator app that generates a time-based one-time passcode (TOTP).
Authenticating with Duo.
Tip
As you decide which MFA methods to allow, keep in mind the following:
Passkeys are recommended due to their security and usability.
Duo is not replicated like the other MFA methods.
As an administrator, you can use an authentication policy to control which MFA methods can be used as a second factor of authentication. For example, the following authentication policy allows users to use a passkey or authenticator app as their second factor of authentication, but not Duo:
CREATE AUTHENTICATION POLICY require_mfa_policy
MFA_AUTHENTICATION_METHODS = ('PASSWORD')
MFA_ENROLLMENT = REQUIRED
MFA_POLICY = (ALLOWED_METHODS = ('PASSKEY', 'TOTP'));
If a user previously configured an MFA method that is now prohibited, the next time they sign in they’ll be prompted to authenticate using the pre-existing method, then prompted to configure a new, allowed method.
For more information about the MFA_POLICY parameter, see CREATE AUTHENTICATION POLICY.
Removing a user’s MFA methods¶
You can remove an MFA method that a user previously added so that they can no longer use it as their second factor of authentication.
Execute the SHOW MFA METHODS command and find the value in the
name
column. For example, if you are removing an MFA method for a userjoe
, execute the following and copy thename
of the MFA method from the output:SHOW MFA METHODS FOR USER joe;
+---------------+-----------------+------------------------+-------------------------------+---------------------------------+---------------------+ | name | type | comment | last_used | created_on | additional_info | +---------------+-----------------+------------------------+-------------------------------+---------------------------------+---------------------+ | TOTP-48A7 | TOTP | Authenticator App 48A7 | 2025-02-26 11:14:38.000 -0800 | 2025-02-26 11:13:19.000 -0800 | null | +---------------+-----------------+------------------------+-------------------------------+---------------------------------+---------------------+
Execute an ALTER USER … REMOVE MFA METHOD statement to remove the MFA method:
ALTER USER joe REMOVE MFA METHOD TOTP-48A7;
Recovering a user who is locked out¶
If a password user is locked out of Snowflake because they don’t have access to a second factor of authentication, an administrator can help them recover the ability to sign in by temporarily disabling MFA or by helping the user set up a new MFA method.
Prompt user to add a new MFA method¶
If a user loses access to the MFA method that they use as their second factor of authentication (for example, by losing the YubiKey that stores their passkey), an administrator can help the user set up a new MFA method so that they can sign in to Snowflake.
When a user does not have access to their MFA method and needs to set up a new one, the administrator executes an
ALTER USER … ENROLL MFA statement. For example, if user joe
needs to establish a new MFA
method, the administrator can execute the following:
ALTER USER joe ENROLL MFA;
If the user has a verified email, Snowflake sends an email prompting them to add an MFA authentication method.
If the user doesn’t have a verified email, Snowflake returns the URL of a page that prompts the user to add an MFA authentication method. Administrators can send this URL to the locked-out user.
Temporarily disable MFA¶
If an administrator needs to temporarily disable MFA for a user, they can execute an
ALTER USER … SET MINS_TO_BYPASS_MFA statement. For example, to temporarily disable MFA so that user
joe
can authenticate with a single-factor password for 30 minutes, execute the following:
ALTER USER joe SET MINS_TO_BYPASS_MFA = 30;
Setting up administrators for break glass access¶
Break glass access refers to the ability to bypass normal authentication methods. Administrators need break glass access to Snowflake if normal authentication becomes unavailable, for example, if an organization’s identity provider goes down.
In many cases, organizations provide break glass access by creating a dedicated Snowflake user and storing their password credential in a cryptographic key vault. When MFA is enforced, every administrator who uses this password must have their own MFA method that they can use as a second factor of authentication. In these cases, Snowflake recommends that each administrator set up a TOTP MFA method so that they can use an authenticator app as their second factor. Using descriptive comments when configuring the MFA method can help distinguish between administrators.
Connecting to Snowflake with MFA¶
MFA login is designed primarily for connecting to Snowflake through the web interface, but is also fully-supported by SnowSQL and the Snowflake JDBC, Node.js, and ODBC drivers.
Using MFA token caching to minimize the number of prompts during authentication — optional¶
MFA token caching can help to reduce the number of prompts that must be acknowledged while connecting and authenticating to Snowflake, especially when multiple connection attempts are made within a relatively short time interval.
A cached MFA token is valid for up to four hours.
The cached MFA token is invalid if any of the following conditions are met:
The ALLOW_CLIENT_MFA_CACHING parameter is set to FALSE for the account.
The method of authentication changes.
The authentication credentials change (i.e. username and/or password).
The authentication credentials are not valid.
The cached token expires or is not cryptographically valid.
The account name associated with the cached token changes.
The overall process Snowflake uses to cache MFA tokens is similar to that used to cache connection tokens for browser-based federated single sign-on. The client application stores the MFA token in the keystore of the client-side operating system. Users can delete the cached MFA token from the keystore at any time.
Snowflake supports MFA token caching with the following drivers, connectors, and tools on macOS and Windows. This feature is not supported on Linux.
Snowflake CLI version 3.0 (or later)
ODBC driver version 2.23.0 (or later).
JDBC driver version 3.12.16 (or later).
Python Connector for Snowflake version 2.3.7 (or later).
Snowflake recommends consulting with internal security and compliance officers prior to enabling MFA token caching.
Tip
MFA token caching can be combined with connection caching in federated single sign-on.
To combine these two features, ensure that the ALLOW_ID_TOKEN parameter is set to true
in tandem with the ALLOW_CLIENT_MFA_CACHING parameter.
To enable MFA token caching, complete the following steps:
As an account administrator (i.e. a user with the ACCOUNTADMIN system role), set the ALLOW_CLIENT_MFA_CACHING parameter to
true
for an account using the ALTER ACCOUNT command.ALTER ACCOUNT SET ALLOW_CLIENT_MFA_CACHING = TRUE;
In the client connection string, update the authenticator value to
authenticator = username_password_mfa
.Add the package or libraries needed by the driver or connector:
If you are using the Snowflake Connector for Python, install the optional keyring package by running:
pip install "snowflake-connector-python[secure-local-storage]"
You must enter the square brackets (
[
and]
) as shown in the command. The square brackets specify the extra part of the package that should be installed.Use quotes around the name of the package as shown to prevent the square brackets from being interpreted as a wildcard.
If you need to install other extras (for example,
pandas
for using the Python Connector APIs for Pandas), use a comma between the extras:pip install "snowflake-connector-python[secure-local-storage,pandas]"
For the Snowflake JDBC Driver, see Add the JNA classes to your classpath.
To disable MFA token caching, unset the ALLOW_CLIENT_MFA_CACHING parameter:
ALTER ACCOUNT UNSET ALLOW_CLIENT_MFA_CACHING;
To find all users who use MFA token caching as the second-factor authentication to log in, you can execute the following SQL statement as an account administrator (a user with the ACCOUNTADMIN role):
SELECT EVENT_TIMESTAMP,
USER_NAME,
IS_SUCCESS
FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
WHERE SECOND_AUTHENTICATION_FACTOR = 'MFA_TOKEN';
Using MFA with SnowSQL¶
MFA can be used for connecting to Snowflake through SnowSQL. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA.
To use a Duo-generated passcode instead of the push mechanism, the login parameters must include one of the following connection options:
--mfa-passcode <string>
OR--mfa-passcode-in-password
For more details, see SnowSQL (CLI client).
Using MFA with JDBC¶
MFA can be used for connecting to Snowflake via the Snowflake JDBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the JDBC connection string are required.
To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be included in the JDBC connection string:
passcode=<passcode_string>
ORpasscodeInPassword=on
Where:
passcode_string
is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.If
passcodeInPassword=on
, then the password and passcode are concatenated, in the form of<password_string><passcode_string>
.
For more details, see JDBC Driver.
Examples of JDBC connection strings using Duo¶
JDBC connection string for user demo
connecting to the xy12345
account (in the US West region) using a Duo passcode:
jdbc:snowflake://xy12345.snowflakecomputing.com/?user=demo&passcode=123456
JDBC connection string for user demo
connecting to the xy12345
account (in the US West region) using a Duo passcode that is
embedded in the password:
jdbc:snowflake://xy12345.snowflakecomputing.com/?user=demo&passcodeInPassword=on
Using MFA with Node.js¶
MFA can be used for connecting to Snowflake through the Snowflake Node.js driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA.
To use a Duo-generated passcode instead of the push mechanism, the login parameters must include one of the following connection options. Both examples use a password of abc123
and MFA passcode of 987654
to demonstrate the configuration.
Set the
passcodeInPassword
option totrue
and include the passcode as part of the password string, similar to the following:authenticator: 'USERNAME_PASSWORD_MFA', password: "abc123987654", // passcode 987654 is part of the password passcodeInPassword: true // because passcodeInPassword is true
Set the
passcode
option to the value of the passcode to specify the password and the passcode separately, similar to the following:authenticator: 'USERNAME_PASSWORD_MFA', password: "abc123", // password and MFA passcode are input separately passcode: "987654"
To use this approach, ensure that the
passcodeInPassword
option isfalse
(the default value). If bothpasscodeInPassword
is set totrue
andpasscode
is also configured, thepasscodeInPassword
setting takes precedence and the driver assumes thepassword
field contains both the password and the MFA passcode when authenticating.
For more details, see Use an MFA passcode.
Using MFA with ODBC¶
MFA can be used for connecting to Snowflake via the Snowflake ODBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the ODBC settings are required.
To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be specified for the driver:
passcode=<passcode_string>
ORpasscodeInPassword=on
Where:
passcode_string
is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.If
passcodeInPassword=on
, then the password and passcode are concatenated, in the form of<password_string><passcode_string>
.
For more details, see ODBC Driver.
Using MFA with Python¶
MFA can be used for connecting to Snowflake via the Snowflake Python Connector. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the Python API calls are required.
To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be specified for the driver in the connect() method:
passcode=<passcode_string>
ORpasscode_in_password=True
Where:
passcode_string
is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.If
passcode_in_password=True
, then the password and passcode are concatenated, in the form of<password_string><passcode_string>
.
For more details, see the description of the connect() method in the Functions section of the Python Connector API documentation.