Keebo | Snowflake MFA & Key-Pair Authentication: How to Keep Your Data & Infrastructure Secure

Snowflake MFA & Key-Pair Authentication: How to Keep Your Data & Infrastructure Secure


With rising compliance requirements and the growing risk of data breaches, Snowflake is moving away from password-only logins and encouraging stronger authentication methods. 

Two of the most important options are multi-factor authentication (MFA) for interactive users and key-pair authentication for service accounts and automated connections. MFA adds a second layer of defense beyond passwords, while key-pair authentication relies on RSA or ECDSA keys to provide secure, passwordless access. Both approaches require proper setup and careful handling of private keys (“secrets”) to maintain security. 

In this guide, we’ll show you how to enable MFA and key-pair authentication in Snowflake, manage policies for users, handle secrets safely, and apply best practices to keep your data and infrastructure secure.

Key Takeaways

  • Snowflake is continuing its deprecation timeline for single-factor password logins
  • MFA is being enforced for existing and new human users logging into Snowsight from September 2025 through January 2026, with additional enforcement milestones throughout 2026.
  • Key pair authentication will be the main authentication method for service users, with OAuth, Programmatic Access Tokens (PAT), and Workload Identity Federation (WIF) being available as alternatives. From May-July 2026, no new LEGACY_SERVICE users can be created, and by August-October 2026, all service users must use these secure authentication methods.
  • Enabling MFA and key-pair authentication not only reduces the risk of breaches from phishing or stolen passwords but also helps meet regulatory requirements such as GDPR and HIPAA.
  • Strong security depends on continuous monitoring, enforcing authentication policies, securing private keys, and auditing users—tasks that can be automated and simplified with tools like Keebo.

What is MFA & Key-Pair Authentication in Snowflake?

Snowflake is evolving its security model to phase out password-only logins and replace them with stronger, modern authentication methods that reduce the risks of breaches tied to stolen or weak credentials. These include multi-factor authentication (MFA) for human users, and key-pair authentication for automated or service accounts.

  • Multi-factor authentication requires users who sign in with a password to also provide a second factor of authentication, such as a passkey, an authenticator app generating time-based one-time codes, or Duo Security. 
  • Key-pair authentication relies on public/private key cryptography, where a public key is stored in Snowflake, while the private key is securely managed by the client and used to sign authentication requests. 

Human users must use MFA when logging into Snowsight, with enforcement rolling out from September 2025 through January 2026 as a first step towards enforcing this for all log-ins made by human users by October 2026.  Service accounts will be required to use either key-pair, Oauth, PAT, or WIF. While this is only enforced for accounts explicitly set up as SERVICE accounts at the moment, Snowflake will extend this to the LEGACY_SERVICE type users in 2026 as well.

As Snowflake plans on disabling single-factor password logins for good by October 2026, it’s best to start the transition today. Note that Snowflake revised this timeline in October 2025, extending the final deadline to provide organizations more time to migrate.

Snowflake’s Phased Enforcement Timeline

Snowflake revised their authentication enforcement timeline in October 2025 to provide customers with additional time and clarity. The rollout follows three key milestones:

  • Milestone 1 (September 2025 – January 2026): MFA required for all Snowsight users with password-based authentication
  • Milestone 2 (May 2026 – July 2026): All newly created human users must use MFA; no new LEGACY_SERVICE users can be created
  • Milestone 3 (August 2026 – October 2026): All human users must use MFA for any password-based access; all service users must use key-pair, OAuth, PAT, or WIF (LEGACY_SERVICE type fully deprecated)

Why Strong Authentication Matters: Use Cases & Risks

Password-only logins are one of the major sources of exposure to phishing, credential stuffing, brute-force attacks, and other cybersecurity threats. For example, a reused corporate password stolen from another breach could allow unauthorized access to sensitive Snowflake data. In the same vein, a service account relying on a static password could be exploited to run mass queries or exfiltrate data without detection.

This is one of the main reasons why strong authentication is becoming a compliance requirement. Frameworks like GDPR and HIPAA explicitly call for strong access controls to protect personal and healthcare data. During audits, organizations may be asked to show evidence of MFA enrollment or proof that service accounts use cryptographic key pairs instead of passwords. Organizations who don’t have this evidence risk higher costs, audit failures, or reputational damage.

How to Enable MFA in Snowflake

Thankfully, Snowflake makes it straightforward to enable multi-factor authentication at both the individual and account level:

  1. Log into Snowsight.
  2. Navigate to SettingsAuthenticationMulti-Factor Authentication
  3. Add an authentication method, such as a passkey, authenticator app (TOTP), or Duo Security

Users with admin permissions can set MFA requirements, which involve specifying which methods are allowed and assigning policies across the entire account. 

To find users Snowflake considers human and don’t have multi-factor authentication enabled: 

Screenshot 2025 11 18 at 5.03.10 PM Edited

As these accounts will be able to log into Snowsight, they should have MFA enabled. While at it, it’s also worth checking the list for accounts that can be turned into service accounts.

To force a user to enroll in MFA and disallow any single-factor password logins: 

Screenshot 2025 11 18 at 5.03.17 PM Edited

How to Set Up Key-Pair Authentication

Setting up key-pair authentication is a more involved process:

  1. Generate an RSA key pair (Snowflake requires at least a 2048-bit key for strong security)
  2. Store the public key within Snowflake, while letting the client hold the private key so they can use it to sign authentication requests
  3. For maximum security, private keys should be encrypted with a passphrase and stored securely stored in a secrets manager or vault
  4. Attach the public key to a Snowflake user object via SQL, enabling that user to log in securely without a password

Snowflake also supports storing two active public keys per user, allowing for key rotation without downtime. Clients such as SnowSQL or the Python connector use the private key to establish the session, ensuring service accounts authenticate safely and reliably without relying on credentials vulnerable to theft.

Managing Policies & Exceptions

Snowflake uses authentication policies to define how users authenticate, which methods are permitted, and whether multi-factor authentication (MFA) is required. These policies can be applied at the account level to cover all users, or overridden at the individual user level for specific needs. 

The most important parameters include:

MFA_ENROLLMENTDetermines if MFA is required or optional
AUTHENTICATION_METHODSSpecify login methods (e.g., PASSWORD, SAML, KEYPAIR, OAuth)
MFA_POLICYLimits MFA methods to options like passkeys, TOTP, or Duo

Administrators can also restrict client types or tie authentication to specific integrations.

Service accounts are excluded from MFA requirements by design. By marking a user as TYPE=SERVICE, Snowflake ensures the account can only use methods like key-pair or OAuth, never password + MFA. This separation keeps automation secure without conflicting with human login policies.

Handling Private Keys & Secrets Safely

Managing private keys and secrets properly is critical to securing Snowflake environments. Because key-pair authentication relies on cryptographic credentials, any mishandling of private keys—such as leaving them unencrypted or embedded in code—can undermine the very security they’re meant to provide. Following these best practices ensures that both human and service accounts remain protected against misuse, compromise, or accidental exposure:

  • Always generate encrypted private keys with strong passphrases to protect them at rest
  • Store keys in enterprise-grade secret managers (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) instead of files or plaintext environments
  • Enforce least-privilege access, ensuring only authorized services or admins can retrieve secrets
  • Never hardcode keys or passphrases in application code
  • Monitor authentication attempts and audit logs for failed logins or anomalies that may signal key misuse
  • Rotate keys on a regular schedule

Limitations, Caveats & What To Watch Out For

  • Data lag. ACCOUNT_USAGE.USERS data can lag up to two hours—not ideal for real-time audits.
  • Edge cases. While most applications and clients support MFA and Key-Pair authentication, make sure that yours have support for the desired authentication method.
  • Common errors. The public key is uploaded to Snowflake and associated with a user. The private key is the one that stays safely with you. When registering the key via SQL, exclude any public key delimiters. 
  • Timeline pressures. Upcoming deprecation of password-only auth, required migration planning, etc. 

How Keebo Helps You Stay Secure & Manage Authentication

Keebo extends Snowflake’s native visibility by automatically surfacing authentication and usage insights across your data ecosystem. Keebo also enables proactive automation and compliance. You can configure alerts for authentication policy violations, automatically flag weak or noncompliant accounts, and monitor key-pair usage trends alongside query and cost data. 

By detecting risks early and tying authentication behavior to data usage, Keebo helps reduce both security exposure and administrative overhead. This helps to keep Snowflake environments compliant, cost-efficient, and resilient against unauthorized access.

Learn more about Keebo’s real-time, autonomous Snowflake optimization capabilities with a one-on-one demo. 

Frequently Asked Questions (FAQ)

What is a Snowflake recommendation for the use of key pair authentication?

Snowflake recommends using a passphrase that complies with PCI DSS standards to protect the locally generated private key. Additionally, Snowflake recommends storing the passphrase in a secure location. If you are using an encrypted key to connect to Snowflake, enter the passphrase during the initial connection.

Does Snowflake require MFA for all users?

Snowflake requires MFA for all human users logging in via Snowsight. By the end of 2026, Snowflake plans on making this a general requirement for all logins by humans, while service users may only authenticate via key-pair, Oauth, PAT, or WIF. Single-factor password logins will be prohibited entirely for human and service users alike.  

How does Snowflake enable OAuth?

Snowflake enables OAuth for clients through integrations. An integration is a Snowflake object that provides an interface between Snowflake and third-party services.

Author

Martin Kiefer
Martin Kiefer
Articles: 3

Related Posts