Snowflake policy change – key information

Snowflake has announced the enforcement of multi-factor authentication (MFA) by default for new Snowflake accounts with the TYPE = PERSON.

From Snowflake’s knowledge base:

A human user is a Snowflake user created for interactive access (e.g., Snowsight) to an account. These users are created with user property defaults or the TYPE property set to PERSON.

A service user is a Snowflake user created for programmatic access to an account. These users are created with the TYPE property set to SERVICE or LEGACY SERVICE and are exempt from MFA enforcement.

According to Snowflake, Service users — accounts designed for service-to-service communication — will not be subject to this MFA requirement.

What Alteryx users need to do

If you are using Alteryx to connect to Snowflake, Snowflake recommends configuring a Service user with either external OAuth or key pair authentication (alongside a network policy). This recommendation applies even if your account is not currently required to use MFA.

Alteryx supports both authentication types:

• Designer Desktop*
  • External OAuth in version 2022.3+ (help link)
  • Key Pair Authentication in version 2024.1+ (help link)
• Analytics Cloud
  • External OAuth (help link)

*Both of these authentication types require the use of Data Connection Manager (DCM). We have a great series on using DCM here.

Why is Snowflake making this change?

Snowflake is requiring Multi-Factor Authentication (MFA) to enhance the security of user accounts and protect sensitive data. By enforcing MFA, Snowflake aims to reduce the risk of unauthorized access, ensuring that even if a ...¹². This move aligns with industry best practices for securing cloud-based services and helps organizati...³.

MFA and scheduled (aka non-interactive) applications

Multi-Factor Authentication (MFA) can cause issues with applications that are “non-interactive”, meaning a human is not interactively communicating with the service. This can also be called:

• Service-to-service communication
• Scheduled applications

Because these applications run automatically and can’t interact with MFA prompts.

To work around these issues, organizations often use service accounts with specific permissions and alternative authentication methods, such as API keys or key pair authentication.

When using key pair authentication, MFA is not typically required because the key pair itself provid...¹. According to the Snowflake documentation (as of the creation of this article), users with the TYPE = SERVICE cannot be enrolled in MFA, however you should work with your Snowflake administrator to understand your internal policies and procedures for connecting.

Multi-Factor Authentication (MFA) explained

Multi-Factor Authentication (MFA) is a security process that requires users to provide two or more verification “factors” to gain access to a resource, like an application or online account. It’s like adding extra locks to your door to make it harder for someone to break in.

These MFA factors are simply broken down as “something you know, something you have, or something you are.”

1. Something you know: This is usually a password or PIN.
2. Something you have: This could be a smartphone, a security token, or a smart card.
3. Something you are: This involves biometrics like fingerprints, facial recognition, or voice recognition.

When you log in, you might enter your password (something you know) and then receive a code on your phone (something you have) that you also need to enter. This way, even if someone gets your password, they still can’t access your account without the second factor.