Configuring a second factor of authentication¶
When a password user is enrolled in Multi-factor authentication (MFA), they must use a second factor of authentication when signing in to Snowflake. These users enter their password, then use the second factor.
Snowflake provides the following possible second factors:
Authenticating with a passkey that can be stored and accessed in a variety of ways.
Authenticating with your preferred authenticator app.
Authenticating with Duo.
Your administrator controls which factors are available to you. For more information, see Restricting which MFA methods are available.
Get started¶
When an administrator requires a user to enroll in MFA, the user is prompted to add a second factor of authentication the next time they sign in to Snowsight.
If you are already signed in to Snowsight and want to set up a second factor of authentication, do the following:
In the left-hand navigation, select your name. The user menu opens.
Select Settings.
Select Authentication.
In the Multi-factor authentication section, select Add new authentication method.
Follow the prompts to configure your second factor of authentication.
Using passkey authentication¶
A passkey is a form of authentication based on the WebAuthn standard, which uses public/private key cryptography. When you successfully configure Snowflake to authenticate with a passkey, the private key is securely stored in a personal location, whether it’s on your machine, a hardware security key (for example, a Yubikey), or a password manager.
To set up a passkey as your second factor of authentication, complete the following tasks:
When prompted, select Passkey.
Complete the steps to store your passkey as you would with any other website or application. For example, you can use a hardware security key or configure your machine so you must use a fingerprint to access the passkey when authenticating.
Specify a name for the authentication method so that you can identify it when signing in to Snowflake.
After you enter your password, you’ll be prompted to provide your passkey, using the method you configured.
Using an authenticator app¶
Snowflake allows you to use your preferred authenticator app to use a time-based one-time passcode (TOTP) as your second factor of authentication. Common authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy.
To set up an authenticator app as your second factor, complete the following tasks:
When prompted, select Authenticator.
Complete the steps with your authenticator app as you would with any other website or application.
Specify a name for the authentication method so that you can identify it when signing in to Snowflake.
After you enter your password, you’ll be prompted to enter the TOTP from your authenticator app.
Using Duo¶
To set up Duo as your second factor, complete the following tasks:
When prompted, select DUO.
Complete the steps with Duo as you would with any other website or application.
Note
Your administrator must configure your organization’s firewall before you can use Duo as a second factor of authentication. For more information, see Prerequisite.
View your authentication methods¶
You can use Snowsight or SQL to view your second factors of authentication.
Sign in to Snowsight.
In the left-hand navigation, select your name. The user menu opens.
Select Settings.
Select Authentication.
Use the Multi-factor authentication section to view your MFA methods.
Execute the SHOW MFA METHODS command.
SHOW MFA METHODS;
Note
If you’re an administrator who wants to view the authentication method of another user, see SHOW MFA METHODS.
Set a default authentication method¶
If you configured more than one MFA method as a second factor of authentication, you can choose which one you’ll use to authenticate after you enter your password. To set the default second factor, do the following:
In the left-hand navigation, select your name. The user menu opens.
Select Settings.
Select Authentication.
In the Multi-factor authentication section, select an MFA method from the Default sign-in method drop-down.