为单因素密码登录的弃用做好计划

To improve the security posture of all of its customers, Snowflake is rolling out changes to require multi-factor authentication (MFA) for all human users using passwords, and disallow passwords for all service users. These service users must switch to a stronger authentication method that doesn't require interaction with a person. This topic describes how single-factor passwords will be deprecated so you can plan accordingly.

重要

Snowflake provides a tool that guides you through the process of implementing strong authentication for all users, so you are ready for the deprecation of single-factor passwords. For more information, see 强身份验证中心.

The phases described in this topic don't apply to reader accounts, trial accounts, or Snowflake Postgres. You can continue to sign in to these types of accounts with a single-factor password.

人类用户与服务用户

Snowflake 中的 User 对象并非总是对应于人类用户。有些用户会在没有人工交互的情况下登录 Snowflake – 例如应用程序或服务。这些用户被视为 服务用户

管理员使用用户对象的 TYPE 参数来定义用户是人类用户还是服务用户。

  • 对于人类用户,TYPE=PERSON。如果未设置 TYPE 参数或将其设置为 NULL,则用户将被视为人类用户。

  • 对于服务用户,TYPE=SERVICE

    备注

    LEGACY_SERVICE 用户类型可帮助客户为服务用户转为使用安全的身份验证形式。将用户的类型设置为 LEGACY_SERVICE 可暂时允许用户使用密码进行身份验证,即使它是应用程序或服务。本主题所述的推出涉及到此用户类型的逐步弃用。

The distinction between a human user and a service user is important because this rollout affects these two types of users differently. To harden the security posture for both types of users, the enforcement of strong authentication consists of the following:

  • All human users who use password authentication will be required to use a second factor of authentication.

  • All legacy service users who currently use password authentication will be required to migrate to a more secure authentication method.

Enforcement timeline

The following table provides the timeline for the enforcement of strong authentication methods.

预计日期

受影响的用户

Phase

2025 年 11 月至 2026 年 1 月

  • 人类用户

强制要求所有 Snowsight 用户使用 MFA

2026 年 3 月至 2026 年 5 月

  • 人类用户

  • Legacy service users

Strong authentication for NEW users

Aug. 2026 - Oct. 2026

  • 人类用户

  • Legacy service users

Strong authentication for ALL users

To learn how to implement strong authentication to meet these deadline, see 强身份验证中心.

Phase 1: Mandatory MFA for all Snowsight users (new and existing)

Phase 1 is implemented using Snowflake's established behavior change release process. In this process, Snowflake releases a behavior change bundle each month. Because changes will be included in a behavior change bundle, enforcement of the new restrictions coincide with the lifecycle of the bundle.

For more information about the lifecycle of behavior change bundles so you can plan for the enforcement of this phase, see 行为变更策略.

2025_06 bundle (September 2025 - January 2026) [1]

Objective

New behavior

Mandatory MFA for all Snowsight users

人类用户在使用密码访问 Snowsight 时必须使用第二个身份验证因素,无一例外。

请记住以下几点:

  • This phase affects Snowsight only. Human users can continue to use a single-factor password to access the Snowflake service from business intelligence (BI) and similar tools, even after they use Snowsight to enroll in MFA. You can choose to enforce MFA for these other tools; users who are already enrolled in MFA and use MFA outside Snowsight will continue to use MFA.

  • 为 Snowsight 实现可选 MFA 注册的身份验证策略将被覆盖。

  • 由于用户使用 Snowsight 登录界面通过 Snowflake OAuth 进行身份验证,他们必须注册 MFA。

  • 单点登录用户不受此变更的影响,可以在不做调整的情况下继续访问 Snowsight。

  • 旧版服务用户 (TYPE=LEGACY_SERVICE) 不受此变更的影响,并且可以继续使用单因素密码访问 Snowsight。

For detailed information about how the changes in this bundle affect password and SSO authentication for your users, see Upcoming Multi-Factor Authentication (MFA) enforcement for Snowsight logins with single-factor passwords (https://community.snowflake.com/s/article/Upcoming-MFA-enforcement-for-Snowsight-logins) (Knowledge Base article).

Phase 2: Strong authentication for new users

Phase 2 will be enforced in accounts on a rolling basis during a three-month period. You'll receive a notification with the enforcement date for your account.

May 2026 - July 2026 [2]

Objective

New behavior

Mandatory MFA for all new human users

All human users that are created after this phase is enforced must use a second factor when authenticating with a password, including those using BI tools or similar.

Human users who existed before the phase is enforced are not affected. These password users can continue to use BI tools or similar (anything but Snowsight) without a second factor of authentication until the next phase.

For example, suppose this phase is enforced on May 15, 2026. All human users created on or after this date must use a second factor of authentication regardless of the surface. Human users who existed before this date can continue to use password-only authentication for BI tools, but not Snowsight.

No new legacy service users

All non-human users created after the phase is enforced must be of type SERVICE, which prevents them from using a password. The LEGACY_SERVICE type is no longer available when creating a new user object. In addition, administrators cannot change the type of an existing user to LEGACY_SERVICE.

For example, suppose this phase is enforced on May 15, 2026. After this date, TYPE=LEGACY_SERVICE is an invalid option when executing a CREATE USER or ALTER USER command.

Phase 3: Strong authentication for all users

Phase 3 will be enforced in accounts on a rolling basis during a three-month period. You'll receive a notification with the enforcement date for your account.

August 2026 - October 2026 [3]

Objective

New behavior

Mandatory MFA for all human users

When this phase is enforced, all new and existing human users must use a second factor when authenticating with a password, with no exceptions.

No legacy service users

When this phase is enforced, all non-human users are blocked from using a password to authenticate.

LEGACY_SERVICE 用户类型已完全弃用。所有具有 TYPE=LEGACY_SERVICE 的现有用户对象均迁移到 TYPE=SERVICE,这会阻止他们使用密码。

To learn how to implement strong authentication to meet the requirements of this phase, see 强身份验证中心.