Multi-Factor Authentication (MFA)¶

Using MFA Token Caching to Minimize the Number of Prompts During Authentication — Optional¶

MFA token caching can help to reduce the number of prompts that must be acknowledged while connecting and authenticating to Snowflake, especially when multiple connection attempts are made within a relatively short time interval.

A cached MFA token is valid for up to four hours.

The cached MFA token is invalid if any of the following conditions are met:

1. The ALLOW_CLIENT_MFA_CACHING parameter is set to FALSE for the account.

2. The method of authentication changes.

3. The authentication credentials change (i.e. username and/or password).

4. The authentication credentials are not valid.

5. The cached token expires or is not cryptographically valid.

6. The account name associated with the cached token changes.

The overall process Snowflake uses to cache MFA tokens is similar to that used to cache connection tokens for browser-based federated single sign-on. The client application stores the MFA token in the keystore of the client-side operating system. Users can delete the cached MFA token from the keystore at any time.

Snowflake supports MFA token caching with the following drivers and connectors on macOS and Windows. This feature is not supported on Linux.

• ODBC driver version 2.23.0 (or later).

• JDBC driver version 3.12.16 (or later).

• Python Connector for Snowflake version 2.3.7 (or later).

Snowflake recommends consulting with internal security and compliance officers prior to enabling MFA token caching.

To enable MFA token caching, complete the following steps:

1. As an account administrator (i.e. a user with the ACCOUNTADMIN system role), set the ALLOW_CLIENT_MFA_CACHING parameter to true for an account using the ALTER ACCOUNT command.

   -- account-level
   
   alter account set allow_client_mfa_caching = true;
   

   Copy

2. In the client connection string, update the authenticator value to authenticator = username_password_mfa.

3. Add the package or libraries needed by the driver or connector:

   • If you are using the Snowflake Connector for Python, install the optional keyring package by running:

     pip install "snowflake-connector-python[secure-local-storage]"
     

     Copy

     You must enter the square brackets ([ and ]) as shown in the command. The square brackets specify the extra part of the package that should be installed.

     Use quotes around the name of the package as shown to prevent the square brackets from being interpreted as a wildcard.

     If you need to install other extras (for example, pandas for using the Python Connector APIs for Pandas), use a comma between the extras:

     pip install "snowflake-connector-python[secure-local-storage,pandas]"
     

     Copy

   • For the Snowflake JDBC Driver, see Adding the JNA Classes to Your Classpath.

To disable MFA token caching, unset the ALLOW_CLIENT_MFA_CACHING parameter.

Using MFA with Snowsight¶

To log into Snowsight with MFA:

1. Sign in to Snowsight.

2. Enter your credentials (user login name and password).

3. If Duo Push is enabled, you may select a notification method. If Send Me a Push is selected, a push notification is sent to your Duo Mobile application. When you receive the notification, select Approve and you will be logged into Snowflake.

   

   As shown on the above , instead of using the push notification, you can also choose to:

   • Select Call Me to receive login instructions from a phone call to the registered mobile device.

   • Select Enter a Passcode to log in by manually entering a passcode provided by the Duo Mobile application.

Using MFA with the Classic Console Web Interface¶

To log into the Classic Console with MFA:

1. Point your browser at the URL for your account. For example: https://myorg-account1.snowflakecomputing.com.

2. Enter your credentials (user login name and password).

3. If Duo Push is enabled, a push notification is sent to your Duo Mobile application. When you receive the notification, select Approve and you will be logged into Snowflake.

   

   As shown on the above screenshot, instead of using the push notification, you can also choose to:

   • Select Call Me to receive login instructions from a phone call to the registered mobile device.

   • Select Enter a Passcode to log in by manually entering a passcode provided by the Duo Mobile application.

Using MFA with SnowSQL¶

MFA can be used for connecting to Snowflake through SnowSQL. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA.

To use a Duo-generated passcode instead of the push mechanism, the login parameters must include one of the following connection options:

--mfa-passcode <string> OR --mfa-passcode-in-password

For more details, see SnowSQL (CLI Client).

Using MFA with JDBC¶

MFA can be used for connecting to Snowflake via the Snowflake JDBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the JDBC connection string are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be included in the JDBC connection string:

passcode=<passcode_string> OR passcodeInPassword=on

Where:

• passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.

• If passcodeInPassword=on, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see JDBC Driver.

Using MFA with ODBC¶

MFA can be used for connecting to Snowflake via the Snowflake ODBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the ODBC settings are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be specified for the driver:

passcode=<passcode_string> OR passcodeInPassword=on

Where:

• passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.

• If passcodeInPassword=on, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see ODBC Driver.

Using MFA with Python¶

MFA can be used for connecting to Snowflake via the Snowflake Python Connector. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the Python API calls are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be specified for the driver in the connect() method:

passcode=<passcode_string> OR passcode_in_password=True

Where:

• passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.

• If passcode_in_password=True, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see the description of the connect() method in the Functions section of the Python Connector API documentation.