Snowflake’s New Authentication Requirements: Free Checklist & Guide

In 2025, Snowflake security isn’t “a concern”  –  it’s a mandate. After the 2024 breach exposed major customer data due to weak credential hygiene and lack of MFA, Snowflake is implementing progressive authentication improvements to enhance protections, and there’s no opting out. 

This is a fundamental shift. Single-factor authentication is being deprecated. Native passwords for service users? Gone. MFA for all human users? Mandatory.

If you’re running a data platform on Snowflake and you’re not planning for this rollout, you’ll want to read on so you can catch up with these new updates. .

What’s Changing: Passwords Are Out, Strong Auth is In

Snowflake is deprecating single-factor password-based sign-ins across all human and service users. The transition is being rolled out via a series of Behavior Change Releases (BCRs). These aren’t optional. Once the bundles are enabled, the policies are enforced. 

Note: this doesn’t apply to reader, trial, or Open Catalog accounts  –  but if you’re running production workloads or pipelines, you’re in scope, so prepare accordingly.

Who’s Affected: Human vs. Service Users

Snowflake distinguishes users by the TYPE attribute:

• TYPE = PERSON: Human users (default if unset)
• TYPE = SERVICE: Programmatic/service users
• TYPE = LEGACY_SERVICE: Transitional user type (temporary use of passwords for services, being deprecated)

What this means:

• Human users will be forced into MFA when authenticating via password.
• Service users will be blocked from password-based login entirely. Only OAuth or key-pair auth will be allowed.

This change reflects a broader shift in the cloud security landscape. Credentials are the #1 attack vector in nearly every breach report published in the last five years. Snowflake is drawing a hard line to eliminate them.

Timeline: When the Changes Take Effect

For Human Users:

• May – July 2025: Mandatory MFA for all Snowsight users (existing + new)
• Aug – Oct 2025: MFA required for all newly created human users (not just Snowsight)
• Mar – May 2026: Mandatory MFA for all human users, no exceptions

For Service Users:

• Nov 2025 – Jan 2026: No new LEGACY_SERVICE users can be created
• June – Aug 2026: All remaining LEGACY_SERVICE users blocked. Key-pair or OAuth required

These timelines are tied to Snowflake’s monthly BCR bundle lifecycle. But don’t wait. You need to be proactive now to avoid outages, especially for automated pipelines and embedded workloads.

What You Should Be Doing (Now)

1. Set User Types

Use ALTER USER to explicitly define PERSON or SERVICE. Don’t rely on default behavior.

ALTER USER user1 SET TYPE = PERSON;

ALTER USER svc_user1 SET TYPE = SERVICE;

This step alone can prevent accidental policy enforcement on automation users and clarify future access methods.

2. Audit Your Risky Users

Use the Trust Center to run queries that identify accounts:

• With passwords
• Without MFA
• Using LEGACY_SERVICE

Extend this with queries for service users and distribution across authentication methods. Start categorizing:

• Who can be migrated?
• Who’s blocked by legacy system limitations?
• Who’s not in use anymore?

3. Migrate Service Accounts to Key-Pair or OAuth

OAuth is the preferred method for programmatic access due to its short-lived, scoped tokens. Key-pair auth is allowed but must be rotated regularly and combined with network controls.

CREATE AUTHENTICATION POLICY programmatic_auth

  AUTHENTICATION_METHODS = ('OAUTH');

ALTER USER svc_user1 SET AUTHENTICATION POLICY = programmatic_auth;

Also enforce IP-based or VPCE-based network policies:

CREATE NETWORK POLICY secure_net_policy

  ALLOWED_IP_LIST = ('10.0.0.0/8');

ALTER USER svc_user1 SET NETWORK_POLICY = secure_net_policy;

4. Enforce MFA Across the Board

You don’t need to wait for Snowflake to enforce MFA. Apply your own authentication policy now:

CREATE AUTHENTICATION POLICY require_mfa

  MFA_AUTHENTICATION_METHODS = ('PASSWORD')

  MFA_ENROLLMENT = REQUIRED;

ALTER ACCOUNT SET AUTHENTICATION POLICY = require_mfa;

This will override optional MFA for native users and lock down all TYPE = PERSON accounts that aren’t using SSO.

5. Apply Session + Network Policies

Enforce session timeouts and geofencing to reduce attack surface:

CREATE SESSION POLICY secure_session

  SESSION_IDLE_TIMEOUT_MINS = 120

  SESSION_UI_IDLE_TIMEOUT_MINS = 15;

ALTER ACCOUNT SET SESSION POLICY = secure_session;

How Yuki Streamlines Your Transition

At Yuki, we’re not just helping companies reduce Snowflake costs. We’re helping them simplpify their Snowflake authentication migration process with powerful built-in tools: 

Here’s what that looks like in practice:

• Identify all users relying on password authentication and service accounts in need of migration
• Highlight legacy service users and help transition them to secure identities
• Audit MFA enablement and apply prebuilt authentication policies
• Monitor login history and Trust Center findings in one place

And we do it all inside your cloud. Your data never leaves your VPC. We operate as a zero-trust-aligned system that integrates seamlessly into your existing stack, completely automated with no weeks of dev work needed.

Need help preparing for this new security landscape? Our Snowflake experts can help. 

Snowflake’s Long-Term Security Vision: Federated Auth Everywhere

Snowflake’s long-term direction is clear: adopt federated identity everywhere. In 2025 and beyond, Snowflake will:

• Support passkeys + authenticator apps (beyond DUO)
• Improve native OAuth support for connectors + drivers
• Enhance the Trust Center with org-wide insights, ML-based anomaly detection, and alerting
• Enable workload identity via cloud-native roles (e.g., AWS IAM, Azure Managed Identity)
• Expand mTLS support for secure bi-directional connections

These changes will reduce password reliance to near-zero. Snowflake wants to be passwordless by design  –  and we agree. This is the best way to guarantee complete data security for your Snowflake setup. 

The Bigger Picture: Security, Not Just Compliance

Snowflake’s security update isn’t just about checking a compliance box. It’s about:

• Reducing your blast radius
• Preventing silent failures in ETL pipelines
• Maintaining availability during vendor outages
• Supporting zero-trust enterprise standards

A Snowflake security failure today is a data breach headline tomorrow. You’re protecting:

• Customer data
• Financial insights
• Competitive models and IP

We can’t afford to take shortcuts.

Free Snowflake Security Update Checklist: Is Your Org Ready?

TL;DR: Snowflake Is Moving. Are You?

Passwords are being deprecated.

MFA is mandatory.

Service users must migrate.

The timelines are already public. The bundles are already shipping. Your environment needs to move with them.

Yuki makes this easy, fast, and secure. If you want help auditing your Snowflake environment, enforcing MFA, migrating to key-pair or OAuth, and aligning with best practices  –  let’s talk.

Request your Snowflake security audit

Because in the end, better security isn’t just protection. It’s prevention.