NEWS BRIEF
Snowflake announced a new authentication policy that will require all customers to enable multifactor authentication on their accounts by November 2025 or risk having their access blocked.
The three-phase policy change comes after Snowflake’s recent decision to enable multifactor authentication by default on all new accounts. “MFA will be enforced by default for all human users in any Snowflake account created as of October 2024,” Snowflake’s Anoosh Saboori and Brad Jones wrote back in September.
In the first phase, planned for April 2025, human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign into Snowflake.
The second phase, in August 2025, will require MFA for all password-based sign-ins for human users. This requirement will apply regardless of any custom authentication policy in place on the account.
In the final phase, Snowflake will block all password-based sign-in attempts using single-factor authentication. While the previous two phases focused on human users, this phase will also apply to service accounts using programmatic access, as well.
Snowflake customers must make the necessary changes before November 2025. Snowflake has created guides to help organizations with the migration. There is also a Threat Intelligence scanner package available on Snowflake’s Trust Center which can scan accounts to identify users who do not have MFA enabled and are at risk of losing access.
The spree of attacks targeting Snowflake customers earlier this year was a result of poor hygiene and the lack of MFA. More than 165 organizations were impacted, such as Neiman Marcus, Ticketmaster, and AT&T. A significant volume of customer data has been stolen. several of the victims were hit with follow-on extortion attempts.
About Author
