Snowflake Rolls Out Mandatory MFA Plan

NEWS BRIEF

Snowflake has announced a new authentication policy that will require all customers to enable multifactor authentication (MFA) on their accounts by November 2025 or risk having their access blocked.

The three-phase policy change comes after Snowflake's recent decision to enable MFA by default on all new accounts.

"MFA will be enforced by default for all human users in any Snowflake account created as of October 2024," Snowflake's Anoosh Saboori and Brad Jones wrote back in September.

In the first phase, planned for April, human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign into Snowflake.

The second phase, in August, will require MFA for all password-based sign-ins for human users. This requirement will apply regardless of any custom authentication policy in place on the account.

In the final phase, Snowflake will block all password-based sign-in attempts using single-factor authentication. While the previous two phases focused on human users, this phase will also apply to service accounts using programmatic access.

Snowflake customers must make the necessary changes before November. Snowflake has created guides to help organizations with the migration. There is also a Threat Intelligence scanner package available on Snowflake's Trust Center that can scan accounts to identify users who do not have MFA enabled and are at risk of losing access.

The spree of attacks targeting Snowflake customers earlier this year was a result of poor hygiene and the lack of MFA. More than 165 organizations were impacted, such as Neiman Marcus, Ticketmaster, and AT&T. A significant volume of customer data has been stolen, and several victims were hit with subsequent extortion attempts.