配置第二个身份验证因素

When a password user is enrolled in Multi-factor authentication (MFA), they must use a second factor of authentication when signing in to Snowflake. These users enter their password, then use the second factor.

Snowflake 提供了以下可能的第二个因素：

• 使用可通过多种方式存储和访问的密钥进行身份验证。
• 使用您的首选身份验证器应用程序进行身份验证。
• 使用 Duo 进行身份验证。

Your administrator controls which factors are available to you. For more information, see Restricting which MFA methods are available.

开始使用

When an administrator requires a user to enroll in MFA, the user is prompted to add a second factor of authentication the next time they sign in to Snowsight.

If you are already signed in to Snowsight and want to set up a second factor of authentication, do the following:

1. 在左侧导航栏中，选择您的名字。系统会打开用户菜单。
2. Select Settings.
3. Select Authentication.
4. In the Multi-factor authentication section, select Add new authentication method.
5. 按照提示配置您的第二个身份验证因素。

使用密钥身份验证

A passkey is a form of authentication based on the WebAuthn standard (https://www.w3.org/TR/webauthn-3/), which uses public/private key cryptography. When you successfully configure Snowflake to authenticate with a passkey, the private key is securely stored in a personal location, whether it’s on your machine, a hardware security key (for example, a Yubikey), or a password manager.

要将密钥设置为第二个身份验证因素，请完成以下任务：

1. When prompted, select Passkey.
2. Complete the steps to store your passkey as you would with any other website or application. For example, you can use a hardware security key or configure your machine so you must use a fingerprint to access the passkey when authenticating.
3. 为身份验证方法指定名称，以便在登录 Snowflake 时可以识别该方法。

输入密码后，系统将提示您使用您配置的方法提供密码。

使用身份验证器应用程序

Snowflake 允许您使用首选的身份验证器应用程序，使用基于时间的一次性密码 (TOTP) 作为第二个身份验证因素。常见的身份验证器应用程序包括 Google Authenticator、Microsoft Authenticator 和 Authy。

要将身份验证器应用程序设置为第二个身份验证因素，请完成以下任务：

1. When prompted, select Authenticator.
2. 使用身份验证器应用程序完成这些步骤，就像使用任何其他网站或应用程序一样。
3. 为身份验证方法指定名称，以便在登录 Snowflake 时可以识别该方法。

输入密码后，系统将提示您从身份验证器应用程序输入 TOTP。

使用 Duo¶

要将 Duo 设置为第二个身份验证因素，请完成以下任务：

1. When prompted, select DUO.
2. 使用 Duo 完成这些步骤，就像使用任何其他网站或应用程序一样完成这些步骤。

查看您的身份验证方法

You can use Snowsight or SQL to view your second factors of authentication.

SHOW MFA METHODS;

设置默认身份验证方法

如果您将多个 MFA 方法配置为第二个身份验证因素，则可以在输入密码后选择使用哪种方法进行身份验证。要设置默认的第二个身份验证因素，请执行以下操作：

1. 在左侧导航栏中，选择您的名字。系统会打开用户菜单。
2. Select Settings.
3. Select Authentication.
4. In the Multi-factor authentication section, select an MFA method from the Default sign-in method drop-down.

识别使用第二个因素凭据的登录会话

To determine when a second-factor credential was used for authentication (for example, a specific passkey or time-based one-time passcode), you can join the LOGIN_HISTORY and CREDENTIALS views in the ACCOUNT_USAGE schema on the column containing the credential ID:

• The LOGIN_HISTORY view contains the credential ID in the second_authentication_factor_id column, if the second_authentication_factor column contains PASSKEY or TOTP.
• The CREDENTIALS view contains the credential ID in the credential_id column.

例如：

SELECT
    login.event_timestamp,
    login.user_name,
    cred.name
  FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY login
    JOIN SNOWFLAKE.ACCOUNT_USAGE.CREDENTIALS cred
    ON login.second_authentication_factor_id = cred.credential_id
  WHERE login.second_authentication_factor IN ('PASSKEY', 'TOTP');

+-------------------------------+-----------+--------------+
| EVENT_TIMESTAMP               | USER_NAME | NAME         |
|-------------------------------+-----------+--------------|
| 2025-08-05 17:10:00.941 -0700 | USER_A    | PASSKEY_RALU |
| 2025-07-28 13:04:27.201 -0700 | USER_B    | TOTP_D406    |
| 2025-07-21 09:09:47.701 -0700 | USER_C    | PASSKEY_GN1N |
+-------------------------------+-----------+--------------+