Dive Brief:

• Snowflake will block and no longer allow customers to access their Snowflake environments using single-factor authentication passwords by November 2025, the company said earlier this month.
• The policy change will take effect in phases, impacting sign-ins for account containers, user objects, human users and service users over an eight-month period starting in April 2025. Snowflake declined to answer questions about customer multifactor authentication adoption or how many customers currently access their environments with single-factor authentication.
• “Our goal is to help drive the improvement of our customers’ security posture by providing strong authentication options and ultimately sunsetting the legacy authentication methods — raising the bar for the industry,” Snowflake CISO Brad Jones said Monday via email.

Dive Insight:

Snowflake’s password-policy change will kick off one year after a wave of attacks hit more than 100 Snowflake customer environments that were not configured with MFA.

The widely recommended security control, a central tenet of the Cybersecurity and Infrastructure Security Agency’s voluntary secure by design pledge, which Snowflake signed in late July.

MFA was enabled by default for all newly created Snowflake accounts starting in October.

Snowflake positioned the new authentication policy as part of its commitment to CISA’s secure by design pledge.

The default authentication requirements will occur in three phases:

• In April, human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign into Snowflake using a password.
• In August, Snowflake will require MFA for all password-based sign-ins for human users, regardless of any custom authentication policy in place.
• By November, Snowflake will block all password-based sign-in attempts to Snowflake using single-factor authentication. This will impact all human users that use interactive login and service users that use programmatic access.

Snowflake said the new policy doesn’t apply to customers using key-pair authentication or single sign-on users using the open standard security assertion markup language or OAuth.

Most authentication events in Snowflake are linked to non-human identities or programmatic access, which isn’t suited for MFA. The company said it typically takes customers up to a year to fully migrate identity lifecycle management to a stronger credential authentication format.

The spree of attacks targeting Snowflake customer environments, which involved the use of stolen credentials, resulted in a significant volume of stolen customer data and follow-on extortion attempts. A cyberattack targeting AT&T’s Snowflake environment in April compromised data on nearly all of the telecom provider’s wireless customers.

By July, the cloud-based data warehouse vendor established a new security policy to allow administrators to set MFA rules for all users or specific roles. Previously, Snowflake users had to enroll themselves in MFA.

Snowflake’s long road to mandate MFA use follows a common trend in the cloud services market. Despite the pressing need for more advanced authentication, companies are taking a phased approach to give customers time to prepare and reorient tech stacks that might require changes to how they integrate with other critical services.

The three-largest cloud providers — AWS, Google Cloud and Microsoft Azure — will have MFA mandates in place for some or all customers by the end of 2025. Some of those mandates began in earnest in 2023.