Snowflake Multi-factor Authentication (MFA)

Passwords on their own just don't cut the mustard today. Read on to see how Snowflake supports multi-factor authentication.

One of the sad byproducts of the Internet is the sheer number of miscreants out there, constantly trying to hack and attack systems hosted online. This is why cyber security has become such a huge part of general computing. One of the many ways companies have attempted to improve account security is via Multi-Factor Authentication, hereafter referred to as MFA. Snowflake is one such company, and in this post we’re going to discover how to enable 2FA and how Snowflake have implemented it.

MFA was not mandatory in Snowflake until October 2024. Snowflake recommend (they strongly recommend!) that you have it enabled for all ACCOUNTADMINs as a minimum. Realistically, it’s good practice to have it enabled for all users. Now that MFA is mandatory, all users will have to enable it.

What Snowflake Features does MFA Protect?

MFA protects a few Snowflake features. The first two are obvious, the user interfaces:

  • Snowsight
  • SnowSQL

The other option involves the programming interfaces Snowflake provides:

  • JDBC
  • Node.js
  • ODBC
  • Python

How is MFA Implemented in Snowflake?

MFA is enabled on a per-user basis – there is no way to turn it on for all users within your Snowflake account. Before October 2024, the users had to enrol in MFA themselves. Once opted into MFA, it was possible to opt out - but only with the help of a friendly account admin. Like we mentioned earlier, MFA is now mandatory.

Snowflake MFA uses Cisco Duo. You can choose one of three ways to pass MFA:

1.     Receive Duo Push notifications to your mobile device.
2.     Receive a telephone call (are these still a thing!).
3.     Enter a passcode.

Setting up MFA

To enable MFA on your account, log on to Snowsight. As of October 2024, you’ll be prompted to enter your phone number and set up your preferred MFA method. Before October 2024, you had to log on to Snowsight, click on your account name in the bottom left-hand corner, and then select My profile. Scroll down and you’ll see the MFA section.



If you haven’t already enrolled, you’ll see an option which allows you to configure MFA. Follow the steps and you’ll be good to go! Make sure you install the Duo app on your mobile device and configure it correctly as per the instructions.

Logging into Snowsight Using MFA

Once MFA is configured, log out of Snowsight and attempt to log back in. You’ll see this prompt:



Click on your preferred option and make sure you have your mobile device with you! I usually opt for the push. With this, you just open the Duo app on your phone and confirm the request.

Logging into SnowSQL Using MFA

Using MFA with SnowSQL is pretty much identical to using it with Snowsight. Log on and enter your user name and password. SnowSQL will wait for you to authenticate MFA via Duo.

Using MFA with Programmatic Interfaces

You need to generate a passcode in Duo, which has to be embedded in the connection string for your chosen programming language. If you open the Duo app, you’ll be able to view the passcode. More details on this can be found in Snowflake’s documentation.

Summary

MFA is another topic which features in the security section of the SnowPro Core exam. It’s pretty straightforward, so this should be an area where you can pick up some easy marks!

 

Page top