Snowflake’s New Era: No More Password-Only Authentication — What You Need to Know

Snowflake’s New Era: No More Password-Only Authentication — What You Need to Know

Take a Deep Dive Into Snowflake Recent Security Changes

As cybersecurity threats continue to evolve, the need for stronger authentication practices becomes ever more critical in response to recent security incidents— where clients without multi-factor authentication (MFA) enabled, which allowed attackers to guess passwords — Snowflake is making significant changes to how users access its platform. Starting later this year, robust authentication methods like MFA and OAuth will replace password-only logins. This article breaks down the upcoming changes, timelines, and what you need to do to stay compliant and secure.

The Changes at a Glance

Snowflake is moving toward eliminating password-only access to enhance data security. Key changes include:

Enforcement of MFA by Default for New Accounts

• Behavior Change Release (BCR) Bundle 2024_08: Snowflake will introduce a new built-in authentication policy enforcing MFA by default for new accounts. This change is expected to be deployed for testing during the week of October 7th, 2024 , in release 8.38.
• Opt-in Period (October 2024 — Early January 2025): During this period, you can enable the BCR bundle to apply the new built-in authentication policy to new accounts.
• Enabled by Default (Early January 2025—Early February 2025): All new Snowflake accounts will have the new built-in authentication policy by default unless your Account Admin explicitly opts out of BCR 2024_08.
• General Availability (Early February 2025): All new Snowflake accounts will have the new built-in authentication policy enforced. Account Admins will not be able to opt out but can disable the new policy by creating a custom authentication policy.

Introducing User Types

Users will be categorized into types — PERSON, SERVICE, and LEGACY_SERVICE — to apply appropriate security policies:

• PERSON : For human users. These users will be subject to MFA policies when using Snowflake built-in passwords.
• SERVICE : For service accounts. These users will not be allowed to use passwords and must use secure authentication methods like key pairs (preferred) or OAuth.
• LEGACY_SERVICE: A temporary solution for service users who cannot immediately switch to secure authentication methods. These users are not subject to MFA policies but have limitations (e.g., cannot log in via UI, cannot have first name/last name). Snowflake highly recommends updating these accounts to use secure authentication methods as soon as possible.

Phasing Out Passwords for Service Users

Service accounts will no longer be allowed to use password-based authentication. Instead, OAuth or key pair methods will be required. This change strengthens the security of automated systems by eliminating the vulnerabilities associated with password usage.

Mandatory MFA for Human Users

By early 2025, all new accounts will require MFA for human users who log in with a password. Over the next few quarters, Snowflake plans to extend this new built-in authentication policy to all existing accounts. This ensures that even if a password is compromised, the additional layer of security from MFA will protect against unauthorized access.

Exemptions

• Reader Accounts and Trial Accounts: These accounts are exempted from the new MFA policy. However, if a trial account converts to a paid account, the new built-in authentication policy requiring MFA will apply immediately. This behavior is not controlled by the BCR bundle for converted trial accounts, and the only way to disable it is by defining a custom authentication policy and setting MFA_ENROLLMENT to OPTIONAL.

What These Changes Mean for You

These changes are designed to strengthen your organization’s security posture and ensure that your Snowflake environment is protected against potential credential compromises. However, they require some adjustments on your part.

For Human Users

Ensure that all human users are set up with MFA. This can be achieved through Snowflake’s native MFA or, preferably, by integrating with an Identity Provider (IdP) for Single Sign-On (SSO). Leveraging SSO provides a seamless login experience while maintaining high-security standards.

For Service Accounts

Service accounts need to switch from passwords to either OAuth or key pair authentication. Passwords will no longer be allowed for programmatic access. This transition will require adjusting your integration settings and updating credentials used by your applications. If immediate migration isn’t possible, you can temporarily classify these accounts as LEGACY_SERVICE, but Snowflake strongly advises updating to secure authentication methods as soon as possible.

Legacy Systems

If you have legacy systems that rely on passwords and cannot easily migrate, the LEGACY_SERVICE user type provides a temporary solution. However, this is a short-term fix, and plans should be made to transition to secure authentication methods promptly. LEGACY_SERVICE users have limitations and are not intended for long-term use.

Actions You Need to Take

To ensure a smooth transition and maintain compliance, follow these steps:

1. When Creating New Accounts Programmatically

Use the newly introduced ADMIN_USER_TYPE property when creating accounts:

CREATE ACCOUNT <name> [ADMIN_USER_TYPE = PERSON | SERVICE | LEGACY_SERVICE | NULL];

• For Human Users : Set ADMIN_USER_TYPE = PERSON. These users will be subject to MFA policies.
• For Service Users : Set ADMIN_USER_TYPE = SERVICE. These users cannot use passwords and should use key pair authentication or OAuth. Provide ADMIN_RSA_PUBLIC_KEY instead of a password during account creation.
• For Legacy Service Users : If key pair authentication isn’t immediately feasible, set ADMIN_USER_TYPE = LEGACY_SERVICE and continue setting up passwords. Remember, this is a temporary measure.

2. Update User Authentication

Ensure all users are correctly categorized and set up with appropriate authentication methods.

Set User Types:

ALTER USER alice SET TYPE = 'PERSON';
ALTER USER data_pipeline_user SET TYPE = 'SERVICE';
ALTER USER legacy_app_user SET TYPE = 'LEGACY_SERVICE';

• For Human Users : After setting TYPE = ‘PERSON’, enroll them in MFA through Snowflake’s DUO process or your IdP.
• For Service Users : With TYPE = ‘SERVICE’, ensure they use key pair authentication or OAuth, combined with network policies for added security.
• For Legacy Service Users : Use TYPE = ‘LEGACY_SERVICE’ only as a temporary solution. Plan to migrate these users to secure authentication methods soon.

3. Enable MFA for All Human Users

Create and apply an authentication policy that enforces MFA for human users using passwords:

CREATE OR REPLACE AUTHENTICATION POLICY enforce_mfa_policy
 MFA_ENROLLMENT = 'REQUIRED'
 AUTHENTICATION_METHODS = ('PASSWORD', 'EXTERNALBROWSER', 'OAUTH', 'SNOWFLAKE_JWT')
 MFA_AUTHENTICATION_METHODS = ('PASSWORD');
ALTER ACCOUNT SET AUTHENTICATION POLICY = enforce_mfa_policy;

This policy ensures compliance with Snowflake’s new standards and significantly reduces the risk of compromised accounts.

4. Update Service User Authentication

Review and update all service accounts to use key pairs or OAuth for authentication.

Set Authentication Policies for Service Users:

ALTER USER service_user_name SET TYPE = 'SERVICE';
CREATE OR REPLACE AUTHENTICATION POLICY service_user_auth_policy
 AUTHENTICATION_METHODS = ('KEYPAIR_JWT', 'OAUTH');
ALTER USER service_user_name SET AUTHENTICATION POLICY = service_user_auth_policy;

This setup ensures service accounts use secure, programmatic access methods, mitigating risks associated with password-based authentication.

5. Apply Network Policies

While this article isn’t intended to cover network policies in general, in addition to setting up network policies for service users, it is highly recommended that you implement account-level network policies as well to reduce the attack surface of your Snowflake accounts.

Restrict service user access to specific trusted IP addresses or private networks by applying network policies:

CREATE OR REPLACE NETWORK POLICY restrict_network_policy
 ALLOWED_IP_LIST = ('192.168.1.0/24', '203.0.113.5')
 BLOCKED_IP_LIST = ('0.0.0.0/0');

ALTER USER service_user_name SET NETWORK POLICY = restrict_network_policy;

This adds an extra layer of security by ensuring programmatic users can only connect from approved locations.

6. Monitor Compliance

Use Snowflake’s Trust Center and account usage views to monitor compliance:

Identify Users Without MFA:

SELECT USER_NAME, IS_MFA_ENABLED
FROM SNOWFLAKE.ACCOUNT_USAGE.USERS
WHERE IS_MFA_ENABLED = 'NO';

Regular monitoring helps you address any non-compliance issues promptly.

Timeline for Implementation

• Opt-in Period (October 2024 — Early January 2025): Enable BCR Bundle 2024_08 to apply the new authentication policy to new accounts.
• Enabled by Default (Early January 2025 — Early February 2025): All new accounts will have the new authentication policy by default unless explicitly opted out.
• General Availability (Early February 2025): The new authentication policy is enforced for all new accounts. Account Admins cannot opt out but can create a custom authentication policy to disable it.
• Future (Over the Next Few Quarters): Snowflake plans to extend the new authentication policy to all existing accounts, phasing out password-only access entirely.

Summary

Snowflake’s initiative to eliminate password-only access is a significant step toward enhancing data security. By adopting strong authentication methods like MFA, OAuth, and key pairs for service accounts, the platform is strengthening security across the board. It’s crucial to begin preparing for this transition now by enabling MFA, updating service accounts, and utilizing Snowflake’s tools to secure your environment.

The phased rollout provides time to adapt, but early action will minimize disruptions and ensure a smooth transition. If you have any questions or need assistance, consult Snowflake’s knowledge base article or open a case with Snowflake’s support team, referencing BCR-1784.

Additional Resources

• Snowflake’s Blog on Enforcing Mandatory MFA
• CISA Secure by Design Post
• Snowflake Documentation on User Types
• Video Guide on Implementing MFA
• Whitepaper on Secure Authentication Practices

My name is Augusto Rosa , and I am the Vice President of Engineering for Infostrux Solutions. I am honored to be a Snowflake Data Superhero 2024 and a Snowflake Subject Matter Expert (SME).

Thank you for reading this blog post. You can follow me on LinkedIn.

Stay Updated

Subscribe to Infostrux Medium Blogs for the latest insights in Data Engineering and Snowflake news.

---