使用 Duo 作为多重身份验证 (MFA) 方法¶
This topic provides general information about using Duo in conjunction with multi-factor authentication (MFA), including administrative tasks that must be completed before users can use Duo as an MFA method. If you are a user who wants to set up Duo as your second factor of authentication, see Configuring a second factor of authentication.
Note
Users in trial accounts and Snowflake Open Catalog accounts cannot use Duo as their second factor of authentication. For other options, see Configuring a second factor of authentication.
Users don’t need to separately sign up with Duo or perform any tasks, other than installing the Duo Mobile application, which is supported on multiple smartphone platforms. For more information about supported platforms/devices and how Duo multi-factor authentication works, see the Duo User Guide (http://guide.duosecurity.com/) .
先决条件
The Duo application service communicates through TCP port 443.
To ensure consistent behavior, update your firewall settings to include the Duo application service on TCP port 443.
For more information, see the Duo documentation (https://duo.com/docs/duoweb#first-steps).
MFA 登录流程¶
下图说明了注册 MFA 的用户的整体登录流程,无论使用何种接口进行连接:
切换用于 MFA 的手机¶
即时还原是 Duo 的一项功能,允许用户在切换到新手机之前备份 Duo 应用程序。只要 Snowflake 用户先备份旧手机,就可以使用即时还原功能在新手机上启用身份验证,而不会中断 Snowflake 的 MFA。
If a user does not back up the old phone or loses the old phone, the Snowflake account administrator must help set up a new MFA method. For information, see Recovering a user who is locked out.
与 Duo 相关的 MFA 错误代码¶
以下是与 MFA 相关的错误代码,当用户使用 Duo 作为第二重身份验证因素时,在身份验证流程中可能会返回这些错误代码。
The errors are displayed with each failed login attempt. Historical data is also available in Snowflake Information Schema and Account Usage:
- Information Schema provides data from within the past seven days and can be queried using the LOGIN_HISTORY , LOGIN_HISTORY_BY_USER table functions.
- The Account Usage LOGIN_HISTORY view provides data from within the past year.
| Error Code | Error | Description |
|---|---|---|
| 390120 | EXT_AUTHN_DENIED | Duo Security authentication is denied. |
| 390121 | EXT_AUTHN_PENDING | Duo Security authentication is pending. |
| 390122 | EXT_AUTHN_NOT_ENROLLED | User is not enrolled in Duo Security. Contact your local system administrator. |
| 390123 | EXT_AUTHN_LOCKED | User is locked from Duo Security. Contact your local system administrator. |
| 390124 | EXT_AUTHN_REQUESTED | Duo Security authentication is required. |
| 390125 | EXT_AUTHN_SMS_SENT | Duo Security temporary passcode is sent via SMS. Please authenticate using the passcode. |
| 390126 | EXT_AUTHN_TIMEOUT | Timed out waiting for your login request approval via Duo Mobile. If your mobile device has no data service, generate a Duo passcode and enter it in the connect string. |
| 390127 | EXT_AUTHN_INVALID | Incorrect passcode was specified. |
| 390128 | EXT_AUTHN_SUCCEEDED | Duo Security authentication is successful. |
| 390129 | EXT_AUTHN_EXCEPTION | Request could not be completed due to a communication problem with the external service provider. Try again later. |
| 390132 | EXT_AUTHN_DUO_PUSH_DISABLED | Duo Push is not enabled for your MFA. Provide a passcode as part of the connection string. |