Snowflake allows administrators to require MFA for all accounts in their organization. This option is new and follows a major hack of Snowflake customers that was enabled in part by inadequate security settings.

With Snowflake, administrators can now require multi-factor authentication within an organization. An administrator can easily deploy MFA to all users via a policy rule. They, in turn, will receive a prompt in Snowsight to initiate MFA.

In addition, Snowflake is making its Trust Center widely available, allowing administrators to monitor how the MFA policy is being followed and see which users have not yet configured multi-factor authentication, among other things.

Too late

The timing of the introduction of the new capabilities is no coincidence. Last month, it emerged that at least 165 Snowflake customers had fallen victim to hackers. Technically, the fault was not with the Snowflake platform itself. After all, the attackers did not exploit a vulnerability, but were able to log in using stolen and leaked data.

For customers who didn’t have MFA enabled, this was easy. In the wake of the revelations, Snowflake faced some criticism for the way it delivers MFA to users. With these new policies, the company is removing friction so that anyone can enable MFA.

Good and bad suggestions

Snowflake also offers some good (and significantly less good) tips. For example, the company recommends that administrators require a minimum password length of fourteen characters – an excellent idea.

Unfortunately, the company suggests expiring passwords after one year, even though research now confirms that requiring frequent password renewal leads users to choose poorer and simpler passwords.

As a Snowflake administrator, you should consider making long passwords and MFA easier with the new policies. The default rules in Snowflake for changing a password are 90 days, which is completely in line with completely outdated rules and therefore best set to 0 (never change) or a much longer interval.