Planning for the deprecation of single-factor password sign-ins¶

To improve the security posture of all of its customers, Snowflake is rolling out changes to require multi-factor authentication (MFA) for all human users using passwords, and disallow passwords for all service users. This topic describes how single-factor password sign-ins will be deprecated so you can plan accordingly.

Important

In October 2025, Snowflake simplified the timeline discussed in this topic. The new timeline consolidates initial milestones and extends the final enforcement date from August 2026 to October 2026. This change streamlines the process of adopting MFA and was made in response to direct customer feedback regarding the complexity of meeting the original milestone timelines.

This revised timeline provides your organization with more time and clarity to plan the migration of your current workloads that rely on passwords. It also gives you the opportunity to adopt our recently released security improvements designed to make your transition easier. These security improvements include workload identity federation for secretless authentication of your service workloads and one-time passcodes (OTP) as a new MFA method for your breakglass scenarios.

The deprecation process described in this topic does not apply to reader accounts or trial accounts. You can continue to sign in to these types of accounts with a single-factor password.

Human users vs. service users¶

User objects in Snowflake don’t always correspond to human users. There are users who sign in to Snowflake without human interaction — for example, an application or service. These users are considered service users.

Administrators use the TYPE parameter of a user object to define whether a user is a human user or a service user.

For human users, TYPE=PERSON. If you don’t set the TYPE parameter or set it to NULL, the user is treated as a human user.
For service users, TYPE=SERVICE.

Note

The LEGACY_SERVICE user type helps customers transition service users to using a secure form of authentication. Setting a user’s type to LEGACY_SERVICE temporarily allows the user to authenticate with a password even though it’s an application or service. The rollout described in this topic involves the gradual deprecation of this user type.

The distinction between a human user and a service user is important because this rollout affects these two types of users differently. To harden the security posture for both types of users, the deprecation of single-factor password sign-ins consists of the following:

All human users who use password authentication will be required to use a second factor of authentication.
All legacy service users who currently use password authentication will be required to migrate to a more secure authentication method.

Deprecation timeline¶

The following table provides the timeline for the deprecation of single-factor password sign ins.

Estimated date	Affected users	Milestone
Sep. 2025 - Jan. 2026	Human users	Mandatory MFA for all Snowsight users
May 2026 - Jul. 2026	Human users Legacy service users	Strong authentication for NEW users
Aug. 2026 - Oct. 2026	Human users Legacy service users	Strong authentication for ALL users

Milestone 1: Mandatory MFA for all Snowsight users (new and existing)¶

Milestone 1 is implemented using Snowflake’s established behavior change release process. In this process, Snowflake releases a behavior change bundle each month. Because changes will be included in a behavior change bundle, enforcement of the new restrictions coincide with the lifecycle of the bundle.

For more information about the lifecycle of behavior change bundles so you can plan for the enforcement of this milestone, see Behavior change policy.

2025_06 bundle (September 2025 - January 2026) [1]

Objective	New behavior
Mandatory MFA for all Snowsight users	Human users must authenticate with a second factor when using a password to access Snowsight, with no exceptions. Keep in mind the following: This milestone affects Snowsight only. Human users can continue to use a single-factor password to access the Snowflake service from business intelligence (BI) and similar tools, even after they use Snowsight to enroll in MFA. You can choose to enforce MFA for these other tools; users who are already enrolled in MFA and use MFA outside Snowsight will continue to use MFA. Authentication policies that implemented optional MFA enrollment for Snowsight are overridden. Because users authenticating with Snowflake OAuth use the Snowsight login interface, they must be enrolled in MFA. Single sign-on users are not impacted by this change and can continue to access Snowsight with no changes. Legacy service users (`TYPE=LEGACY_SERVICE`) are not impacted by this change and can continue to access Snowsight with a single-factor password.

Objective

New behavior

Mandatory MFA for all Snowsight users

Human users must authenticate with a second factor when using a password to access Snowsight, with no exceptions.

Keep in mind the following:

This milestone affects Snowsight only. Human users can continue to use a single-factor password to access the Snowflake service from business intelligence (BI) and similar tools, even after they use Snowsight to enroll in MFA. You can choose to enforce MFA for these other tools; users who are already enrolled in MFA and use MFA outside Snowsight will continue to use MFA.
Authentication policies that implemented optional MFA enrollment for Snowsight are overridden.
Because users authenticating with Snowflake OAuth use the Snowsight login interface, they must be enrolled in MFA.
Single sign-on users are not impacted by this change and can continue to access Snowsight with no changes.
Legacy service users (TYPE=LEGACY_SERVICE) are not impacted by this change and can continue to access Snowsight with a single-factor password.

For detailed information about how the changes in this bundle affect password and SSO authentication for your users, see Upcoming Multi-Factor Authentication (MFA) enforcement for Snowsight logins with single-factor passwords (Knowledge Base article).

Milestone 2: Strong authentication for new users¶

Milestone 2 will be enforced in accounts on a rolling basis during a three-month period. You’ll receive a notification with the enforcement date for your account.

May 2026 - July 2026 [2]

Objective	New behavior
Mandatory MFA for all new human users	All human users that are created after this milestone is enforced must use a second factor when authenticating with a password, including those using BI tools or similar. Human users who existed before the milestone is enforced are not affected. These password users can continue to use BI tools or similar (anything but Snowsight) without a second factor of authentication until the next milestone. For example, suppose this milestone is enforced on May 15, 2026. All human users created on or after this date must use a second factor of authentication regardless of the surface. Human users who existed before this date can continue to use password-only authentication for BI tools, but not Snowsight.
No new legacy service users	All non-human users created after the milestone is enforced must be of type `SERVICE`, which prevents them from using a password. The `LEGACY_SERVICE` type is no longer available when creating a new user object. In addition, administrators cannot change the type of an existing user to `LEGACY_SERVICE`. For example, suppose this milestone is enforced on May 15, 2026. After this date, `TYPE=LEGACY_SERVICE` is an invalid option when executing a CREATE USER or ALTER USER command.

Objective

New behavior

Mandatory MFA for all new human users

All human users that are created after this milestone is enforced must use a second factor when authenticating with a password, including those using BI tools or similar.

Human users who existed before the milestone is enforced are not affected. These password users can continue to use BI tools or similar (anything but Snowsight) without a second factor of authentication until the next milestone.

For example, suppose this milestone is enforced on May 15, 2026. All human users created on or after this date must use a second factor of authentication regardless of the surface. Human users who existed before this date can continue to use password-only authentication for BI tools, but not Snowsight.

No new legacy service users

All non-human users created after the milestone is enforced must be of type SERVICE, which prevents them from using a password. The LEGACY_SERVICE type is no longer available when creating a new user object. In addition, administrators cannot change the type of an existing user to LEGACY_SERVICE.

For example, suppose this milestone is enforced on May 15, 2026. After this date, TYPE=LEGACY_SERVICE is an invalid option when executing a CREATE USER or ALTER USER command.

Milestone 3: Strong authentication for all users¶

Milestone 3 will be enforced in accounts on a rolling basis during a three-month period. You’ll receive a notification with the enforcement date for your account.

August 2026 - October 2026 [3]

Objective	New behavior
Mandatory MFA for all human users	When this milestone is enforced, all new and existing human users must use a second factor when authenticating with a password, with no exceptions.
No legacy service users	When this milestone is enforced, all non-human users are blocked from using a password to authenticate. The `LEGACY_SERVICE` user type is fully deprecated. All existing user objects with `TYPE=LEGACY_SERVICE` are migrated to `TYPE=SERVICE`, which prevents them from using a password.

Objective

New behavior

Mandatory MFA for all human users

When this milestone is enforced, all new and existing human users must use a second factor when authenticating with a password, with no exceptions.

No legacy service users

When this milestone is enforced, all non-human users are blocked from using a password to authenticate.

The LEGACY_SERVICE user type is fully deprecated. All existing user objects with TYPE=LEGACY_SERVICE are migrated to TYPE=SERVICE, which prevents them from using a password.