Following a series of assaults, Snowflake maintains that the responsibility for security lies with their customers.
Snowflake, the cloud-based data warehousing company, has announced a new policy aimed at enhancing login security following a series of high-profile breaches affecting its customer environments in 2024. The policy, effective by November 2025, will eliminate password-only logins and mandate Multi-Factor Authentication (MFA) for all users and service accounts.
The policy responds directly to the breaches, aiming to strengthen authentication security. Under the new rules, password-only login will be blocked entirely across production and enterprise accounts. MFA will be compulsory for all human users authenticating with passwords, while service accounts must move away from password-based authentication. Instead, service accounts must use other authentication methods such as key pair authentication, OAuth 2.0, Single Sign-On (SSO) via SAML or OAuth, or Programmatic Access Tokens.
This shift enforces a Zero Trust security model to prevent unauthorized access through compromised passwords. Snowflake's CEO, Sridhar Ramaswamy, stated that the issue was not on Snowflake's side and that no evidence of a breach or compromise was found on their platform.
For existing Snowflake customers, MFA remains an optional security control. However, for newly created accounts, MFA is now enabled by default. Snowflake works closely with the customers who were breached to help them get out of their difficult situation.
Despite the attacks affecting more than 100 of its customer environments in April, Snowflake's losses widened to almost $317 million, up from almost $227 million in the year-ago quarter. However, the company's revenue increased 29% year over year to nearly $869 million in its fiscal 2025 second quarter. The attacks had no impact on Snowflake's consumption during the quarter.
The burgeoning cloud market's shared responsibility status quo was tested by the attacks on Snowflake customers' databases. In the shared responsibility model, Snowflake customers are solely responsible for creating and securing access credentials to the Snowflake platform.
Snowflake is one of nearly 200 companies that have signed CISA's secure-by-design pledge and voluntarily committed to embrace secure development practices over the next year. Despite the challenges technology vendors confront in instituting sweeping changes to a widely used platform, Snowflake's new policy reflects the company's commitment to prioritizing security.
However, some third-party tools integrating with Snowflake face challenges as they currently do not support key pair authentication, which Snowflake favors as the recommended method for machine-to-machine scenarios under this policy. Developers and automation pipelines using Snowflake are urged to migrate to the supported authentication methods to avoid disruptions post-November 2025.
Despite the attacks, Snowflake remains "slightly muted" about the incidents because the company itself was not directly impacted. Too many CISOs think they can 'buy' security only to find out after the fact their cybersecurity vendors only sell tools and do not share their sense of security posture ownership. Snowflake's CFO, Michael Scarpelli, confirmed that there was no indication the attack spree on Snowflake customers impacted the company's financial performance.
In summary, Snowflake's new MFA enforcement significantly tightens login security by eliminating single-factor, password-only access and mandating MFA or stronger authentication methods for all users and services. This is designed to protect customer data from breaches related to compromised credentials.
In light of the high-profile breaches, Snowflake's new policy aims to strengthen security further by eliminating password-only logins and enforcing Multi-Factor Authentication (MFA) for all users and service accounts, as a response to the compromised cloud security incidents. To meet the new rules, service accounts must transition from password-based authentication to other methods such as key pair authentication, OAuth 2.0, Single Sign-On (SSO) via SAML or OAuth, or Programmatic Access Tokens, while human users authenticating with passwords will be compulsory to use MFA.
