Snowflake Will Default to Multi-Factor Authentication

Snowflake has always been committed to helping customers protect their accounts and data. To further our commitment to protect against cybersecurity threats and to champion the advancement of industry standards for security, Snowflake recently signed the Cybersecurity and Infrastructure Security Agency (CISA) Secure By Design Pledge. In line with CISA’s Secure By Design principles, we recently announced a number of security enhancements in the platform — most notably the general availability of Trust Center and a new multi-factor authentication (MFA) policy. As part of our continuing efforts, we are announcing that MFA will be enforced by default for all human users in any Snowflake account created in October 2024. Service users — accounts designed for service-to-service communication — will not be subject to this MFA requirement.

To help you further strengthen your security posture, starting in October, we will also require both newly created and altered user passwords to:

  • Have a minimum length of 14 characters, up from 8

  • Not be any of the last five passwords used 

The rollout for these changes will follow the standard protocol in Snowflake’s Behavior Change Policy (BCR)

What else can I do to enforce stronger authentication in Snowflake?

For existing Snowflake customers, we strongly recommend following the Snowflake security best practices in this white paper, including leveraging the Trust Center Security Essentials scanner package to look for compliance with MFA and the use of network policies. 

Additionally, we recommend the below to enforce stronger authentication: 

  • For human users:

    • We recommend using single sign-on (SSO) when possible and enabling MFA through your Identity Provider (IDP).

    • If SSO is not possible or MFA cannot be enabled through the IDP, or for break-glass scenarios, we recommend using Snowflake’s built-in MFA.

  • For service users: 

    • We recommend using external OAuth when possible, and if not, using key pair authentication to eliminate passwords altogether for such users. We strongly advise enabling network policies when using key pair authentication and, in general, to enable network policies for all user types, not just service users.

If you are using popular apps, such as PowerBI, dbt, Tableau or others, to connect to Snowflake, it is vital to configure them to use either external OAuth or key pair authentication (alongside a network policy). The proper configuration steps will depend on the particular app, so you will need to consult the provider for specifics (e.g., see the instructions for Tableau and dbt). If the app does not support Snowflake’s recommended authentication methods, please contact the app provider and also inform your Snowflake account team. Snowflake is working closely with our partner ecosystem so that their tooling and apps are ready for stronger authentication methods. 

What’s next?

To continue making Snowflake more secure by default, we are working on extending these stronger authentication policies to all existing Snowflake accounts — with the eventual expectation to completely eliminate password-only sign-ins to Snowflake. 

If you have further questions, please reach out to your Snowflake account team. 

 

LATEST ARTICLE

See Our Latest

Blog Posts

admin October 2nd, 2024

Privacy is no longer a growing requirement for doing business — it’s the new status quo. The stakes for not […]

admin October 2nd, 2024

There’s no question which technology everyone’s talking about in retail. Generative AI continues to promote incredible levels of interest with […]

admin October 1st, 2024

Credit: Hadlee Simons / Android Authority The Personal Safety app on Android will soon get a new option to add […]