You’ve likely heard of Snowflake, the popular cloud data platform. The company recently announced that it will be phasing out single-factor authentication (SFA) by 2025 and moving towards multi-factor authentication (MFA).
For users of Snowflake, this shift in approach means that you will need to adjust the way you log into the platform. It’s a positive step for security, but it may require some time and planning to make the transition smoothly.
MFA Becomes Standard After Attacks Cite Security Gaps
Snowflake’s decision to phase out SFA comes in response to a monumental wave of Cyberattacks in which over 100 customer environments were compromised.
These breaches occurred in accounts that lacked MFA. As a result, Snowflake is making MFA a default security measure for all new accounts, starting in October 2024.
This move aligns with Snowflake’s commitment to Cybersecurity, following their pledge to support the Cybersecurity and Infrastructure Security Agency’s (CISA) voluntary “Secure by Design” initiative signed in July 2024.
By late 2025, SFA will be fully phased out.
SFA & MFA In Cybersecurity
Authentication is a critical aspect of Cybersecurity, with SFA and MFA representing two key approaches to verifying user identities.
SFA is the most basic form of authentication, where users provide just one type of evidence to verify their identity, usually a password or PIN. While convenient, it is vulnerable to security risks like hacking or credential theft, as a single factor can be easily compromised.
MFA, on the other hand, requires users to provide two or more different forms of verification. These typically include something the user knows (like a password), something the user has (like a smartphone for an authentication app or a security token), and something the user is (like a fingerprint or facial recognition).
New MFA Policy
In compliance with CISA’s “Secure by Design” initiative, Snowflake’s default authentication requirements will be implemented in three phases:
- April: Human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign in with a password.
- August: MFA will be mandatory for all password-based sign-ins for human users, regardless of any custom authentication policy in place.
- November: Snowflake will block all password-based sign-ins using single-factor authentication. This will affect both human users logging in interactively and service users accessing Snowflake programmatically.
According to Snowflake, this new policy will not affect customers using key-pair authentication or single sign-on (SSO) methods like SAML or OAuth.
Most of the authentication events in Snowflake are tied to non-human identities (NHIs) or programmatic access, which are not suited for MFA. Snowflake explained that it often takes customers up to a year to fully transition their identity management systems to a more secure authentication method.
This decision follows a series of attacks where cybercriminals exploited stolen credentials, leading to data breaches and extortion attempts. One notable attack, targeting AT&T’s Snowflake environment in April, exposed data from nearly all of the telecom provider’s wireless customers.
In response, Snowflake introduced a new security policy in July, allowing administrators to set mandatory MFA for all users or specific roles. Previously, users were required to enroll in MFA themselves.
Snowflake’s Road To Mandating MFA
Snowflake’s journey to mandating MFA for all users by late 2025 reflects a common trend in the cloud services market, where companies are gradually introducing stronger security measures.
Despite the clear need for better authentication practices, many cloud providers are taking a phased approach to allow customers time to adjust their technology stacks and adapt to new security requirements. This slow rollout is meant to accommodate the changes needed for businesses to integrate MFA with their existing services.
By the end of 2025, AWS, Google Cloud, and Microsoft Azure, the three largest cloud providers, will also require MFA for some or all customers. Some of these MFA mandates began in 2023 as part of a broader industry shift toward more robust authentication protocols.
FAQ
Why Is Snowflake Ending Single-Factor Authentication (SFA) By 2025?
Snowflake is making this change to improve security and protect user accounts from unauthorized access. SFA can be easily compromised, while multi-factor authentication (MFA) provides an extra layer of protection. This shift is part of a broader effort to bolster Cybersecurity across the platform.
How Will This Change Affect My Business?
Starting in 2025, your business will need to use MFA for all Snowflake accounts. This means users will have to verify their identity with something more than just a password, such as a code sent to their phone. It’s an important step to protect your data but may require some time to adjust your systems and train your team.
What Steps Can My Business Take To Implement This Change?
To implement Snowflake’s MFA change, start by ensuring all users are set up with MFA on their accounts. Work with your IT team to update your systems for compatibility. 2Secure Corp advises training your employees on MFA and reviewing any integrations with Snowflake to ensure they meet the new security requirements. Make sure to test the setup before the deadline to avert disruptions.
