At A Glance
Snowflake is tightening authentication requirements. If any user in your account still signs in using just a username and password, you must take action. Update authentication methods now to avoid disruptions.
Overview
Snowflake is rolling out significant changes to how users authenticate, specifically by phasing out password-only logins.
This post explains:
- What’s changing
- When it’s happening
- Who it affects (human vs. service users)
- What steps do you need to take
This guide will help you prepare for the transition, whether you manage user accounts or maintain scripts and tools that connect to Snowflake.
What’s Changing?
If any user in your account currently signs in using only a username and password, they will soon be required to:
- Enroll in multi-factor authentication (MFA), or
- Have their authentication method updated by a Snowflake user administrator.
When Is This Happening?
Short Answer: It’s already underway.
Snowflake is rolling this out in phases across accounts. You may see warnings in the user interface or have received email notifications. Be sure to review Snowflake’s official rollout timeline for complete details.
Can I Still Use Username & Password to Log In?
That depends — are you human?
For human users:
Username and password logins are still allowed if MFA is also enabled. If you access Snowflake via a browser (Snowsight), the CLI (SnowSQL), or specific drivers (like ODBC or JDBC), and use MFA, you’re in the clear. Just make sure your connection method supports MFA. Refer to Snowflake’s documentation for an up-to-date list of supported connection types.
For non-human (programmatic) access:
Password-based authentication is being deprecated. This includes scripts, service accounts, and third-party tools. Depending on your setup, these users must migrate to a more secure method, such as key-pair authentication or OAuth.
What Do I Need to Do?
1. Audit your users
Review all users in your Snowflake account, especially service accounts. Identify any still using password-only authentication.
2. Set the correct user type
Use ALTER USER statements to define the correct user type:
- TYPE = PERSON for human users
- TYPE = SERVICE for non-human (service) users This tells Snowflake which policies to apply to each user.
3. Communicate with human users
Let them know that MFA will be required if they use a username and password to access Snowflake.
4. Update service users
Migrate all service accounts away from password-based login. Depending on the tool or workflow, use key-pair authentication or OAuth.
Is Key-Pair Authentication More Secure Than Username and Password?
Yes — and here’s why.
With passwords, your credentials are transmitted to Snowflake (even if encrypted), and Snowflake has to store a hashed version. This introduces risk, even in secure systems.
Key-pair authentication works differently. The private key stays on your machine. Snowflake doesn’t receive it — instead, the machine signs a message, and Snowflake verifies the signature using a public key.
In simple terms:
Migrate all service accounts away from password-based login. Depending on the tool or workflow, use key-pair authentication or OAuth.
- Password: “Send me the secret.”
- Private key: “Prove you have the secret — but don’t tell me what it is.”
Still Have Questions?
We’ve got answers.
For help ensuring your authentication strategy is secure and compliant, contact your Snowflake administrator, consult Snowflake’s official documentation, or contact support.
Services provided
