Understanding Multi-Factor Authentication

Snowflake supports multi-factor authentication (MFA) to provide increased login security for users connecting to Snowflake. MFA support is provided as an integrated Snowflake feature, powered by the Duo Security service, which is managed completely by Snowflake. Users do not need to separately sign up with Duo or perform any tasks, other than installing the Duo Mobile application, which is supported on multiple smart phone platforms (iOS, Android, Windows, etc.). See the Duo User Guide for more information about supported platforms/devices and how Duo multi-factor authentication works.

MFA is enabled on a per-user basis; however, at this time, users are not automatically enrolled in MFA. To use MFA, users must enroll themselves.

Attention

At a minimum, Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.

In this Topic:

Enrolling a Snowflake User in MFA

Previously, users could only be enrolled in MFA by submitting a request to Snowflake Support. This is no longer required.

Any Snowflake user can self-enroll in MFA through the web interface. For more information, see Managing Your User Preferences.

Managing MFA for Your Account and Users

At the account level, MFA requires no management. It is automatically enabled for your account and available for all your users to self-enroll. However, you may find the need to disable MFA, either temporarily or permanently, for a user. For example, a user forgets or loses their phone and cannot log in with MFA, or the user changes their phone number.

You can use the following properties for the ALTER USER command to perform these tasks:

  • MINS_TO_BYPASS_MFA
    Specifies the number of minutes to temporarily disable MFA for the user so that they can log in. After the time passes, MFA is enforced and the user cannot log in without the temporary token generated by the Duo Mobile application.
  • DISABLE_MFA
    Disables MFA for the user, effectively canceling their enrollment. To use MFA again, the user must re-enroll.

Connecting to Snowflake with MFA

MFA login is designed primarily for connecting to Snowflake through the web interface, but is also fully-supported by SnowSQL and the Snowflake JDBC and ODBC drivers.

MFA Login Flow

The following diagram illustrates the overall login flow for a user enrolled in MFA, regardless of the interface used:

MFA login flow

Using MFA with the Web Interface

To log into the Snowflake web interface with MFA:

  1. Point your browser at the URL for your account (e.g. https://abc123.snowflakecomputing.com, https://abc123.eu-central-1.snowflakecomputing.com).

  2. Enter your credentials (user login name and password).

    MFA login
  3. If Duo Push is enabled, a push notification is sent to your Duo Mobile application. When you receive the notification, simply click Approve and you will be logged into Snowflake.

    MFA approval

    As shown on the above screenshot, instead of using the push notification, you can also choose to:

    • Click Enter Duo Passcode to log in by manually entering a passcode provided by the Duo Mobile application.
    • Click Request SMS Passcodes to have a set of temporary passcodes sent to your device via an SMS message. You can then log in by manually enter one of the passcodes.

Using MFA with SnowSQL

MFA can be used for connecting to Snowflake through SnowSQL. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA.

To use a Duo-generated passcode instead of the push mechanism, the login parameters must include one of the following connection options:

--mfa-passcode <string> OR --mfa-passcode-in-password

For more details, see SnowSQL (CLI Client).

Using MFA with JDBC

MFA can be used for connecting to Snowflake via the Snowflake JDBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the JDBC connection string are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be included in the JDBC connection string:

passcode=<passcode_string> OR passcodeInPassword=on

Where:

  • passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.
  • If passcodeInPassword=on, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see JDBC Driver.

Examples of JDBC Connection Strings Using Duo

JDBC connection string for user demo connecting to the abc123 account (in the US West Snowflake Region) using a Duo passcode:

jdbc:snowflake://abc123.snowflakecomputing.com/?user=demo&passcode=123456

JDBC connection string for user demo connecting to the abc123 account (in the US West Snowflake Region) using a Duo passcode that is embedded in the password:

jdbc:snowflake://abc123.snowflakecomputing.com/?user=demo&passcodeInPassword=on

Using MFA with ODBC

MFA can be used for connecting to Snowflake via the Snowflake ODBC driver. By default, the Duo Push authentication mechanism is used when a user is enrolled in MFA; no changes to the ODBC settings are required.

To use a Duo-generated passcode instead of the push mechanism, one of the following parameters must be specified for the driver:

passcode=<passcode_string> OR passcodeInPassword=on

Where:

  • passcode_string is a Duo-generated passcode for the user who is connecting. This can be a passcode generated by the Duo Mobile application or an SMS passcode.
  • If passcodeInPassword=on, then the password and passcode are concatenated, in the form of <password_string><passcode_string>.

For more details, see ODBC Driver.