Snowflake to abolish sole authentication method by the end of 2025
## Snowflake Enforces Widespread MFA Policy by 2025 to Boost Security
In a bid to enhance security and prevent future breaches, Snowflake has announced that it will mandate Multi-Factor Authentication (MFA) for all human users by the end of 2025. This move follows a series of high-profile attacks in 2024 that affected several Snowflake customer environments.
The new policy will come into effect in phases, starting in April 2025. By November 2025, Snowflake will block all password-based sign-in attempts to Snowflake using single-factor authentication, affecting both human users and service accounts that use programmatic access. Service accounts will be required to switch to key pair authentication or OAuth tokens to continue accessing Snowflake environments.
Previously, Snowflake users had to enroll themselves in MFA. However, starting in August 2025, MFA will be enabled by default for all password-based sign-ins for human users, regardless of any custom authentication policy in place. This means that human users who have not yet enrolled in MFA will be prompted to do so the next time they sign into Snowflake.
Snowflake's commitment to the Cybersecurity and Infrastructure Security Agency's secure by design pledge is evident in this policy change. The company also follows a phased approach to implementing MFA, giving customers time to prepare and reorient their tech stacks that might require changes to how they integrate with other critical services.
The policy change comes a year after a wave of attacks hit more than 100 Snowflake customer environments that were not configured with MFA. These attacks resulted in a significant volume of stolen customer data and follow-on extortion attempts. Notably, a cyberattack targeting AT&T's Snowflake environment in April compromised data on nearly all of the telecom provider's wireless customers.
While Snowflake is implementing a strict MFA policy by 2025, other major cloud services may not have similar blanket mandates but are likely to continue emphasizing strong authentication practices. For instance, the three-largest cloud providers - AWS, Google Cloud, and Microsoft Azure - will have MFA mandates in place for some or all customers by the end of 2025. However, specific mandates can vary by organization and provider.
Industry trends show a shift towards Zero Trust architectures, which often include MFA as a key component. This approach emphasizes verifying identities at every interaction, but specific mandates can vary by organization and provider. Major cloud providers like AWS, Azure, and Google Cloud Platform support a range of security features, including conditional access and identity federation, which can enforce MFA based on organizational policies.
As Snowflake enforces its MFA policy, users are advised to prepare for the changes and ensure their accounts are secure. This includes enrolling in MFA and updating their tech stacks to accommodate the new policy. By doing so, users can help protect their data and maintain the security of their Snowflake environments.
Snowflake's commitment to enhancing cybersecurity, as demonstrated by the mandatory Multi-Factor Authentication (MFA) policy, underscores the importance of technology in safeguarding user data. By the end of 2025, all password-based sign-ins for human users on Snowflake will require MFA, a move aimed at preventing future breaches and aligning with the company's pledge to the Cybersecurity and Infrastructure Security Agency's secure by design principles.
