为单因素密码登录的弃用做好计划¶

To improve the security posture of all of its customers, Snowflake is rolling out changes to require multi-factor authentication (MFA) for all human users using passwords, and disallow passwords for all service users. This topic describes how single-factor password sign-ins will be deprecated so you can plan accordingly.

重要

In October 2025, Snowflake simplified the timeline discussed in this topic. The new timeline consolidates initial milestones and extends the final enforcement date from August 2026 to October 2026. This change streamlines the process of adopting MFA and was made in response to direct customer feedback regarding the complexity of meeting the original milestone timelines.

This revised timeline provides your organization with more time and clarity to plan the migration of your current workloads that rely on passwords. It also gives you the opportunity to adopt our recently released security improvements designed to make your transition easier. These security improvements include workload identity federation for secretless authentication of your service workloads and one-time passcodes (OTP) as a new MFA method for your breakglass scenarios.

The deprecation process described in this topic does not apply to reader accounts or trial accounts. You can continue to sign in to these types of accounts with a single-factor password.

人类用户与服务用户¶

Snowflake 中的 User 对象并非总是对应于人类用户。有些用户会在没有人工交互的情况下登录 Snowflake – 例如应用程序或服务。这些用户被视为 服务用户。

管理员使用用户对象的 TYPE 参数来定义用户是人类用户还是服务用户。

对于人类用户，TYPE=PERSON。如果未设置 TYPE 参数或将其设置为 NULL，则用户将被视为人类用户。
对于服务用户，TYPE=SERVICE。

备注

LEGACY_SERVICE 用户类型可帮助客户为服务用户转为使用安全的身份验证形式。将用户的类型设置为 LEGACY_SERVICE 可暂时允许用户使用密码进行身份验证，即使它是应用程序或服务。本主题所述的推出涉及到此用户类型的逐步弃用。

人类用户与服务用户之间的区分非常重要，因为此次推出对这两类用户的影响不同。为了加强这两类用户的安全状况，弃用单因素密码登录包括以下内容：

All human users who use password authentication will be required to use a second factor of authentication.
All legacy service users who currently use password authentication will be required to migrate to a more secure authentication method.

弃用时间表¶

下表提供了弃用单因素密码登录的时间表。

预计日期	受影响的用户	里程碑
Sep. 2025 - Jan. 2026	人类用户	强制要求所有 Snowsight 用户使用 MFA
May 2026 - Jul. 2026	人类用户 Legacy service users	Strong authentication for NEW users
Aug. 2026 - Oct. 2026	人类用户 Legacy service users	Strong authentication for ALL users

Milestone 1: Mandatory MFA for all Snowsight users (new and existing)¶

Milestone 1 is implemented using Snowflake's established behavior change release process. In this process, Snowflake releases a behavior change bundle each month. Because changes will be included in a behavior change bundle, enforcement of the new restrictions coincide with the lifecycle of the bundle.

For more information about the lifecycle of behavior change bundles so you can plan for the enforcement of this milestone, see 行为变更策略.

2025_06 bundle (September 2025 - January 2026) [1]

Objective	New behavior
Mandatory MFA for all Snowsight users	人类用户在使用密码访问 Snowsight 时必须使用第二个身份验证因素，无一例外。请记住以下几点：此里程碑仅影响 Snowsight。人类用户可以继续使用单因素密码从商业智能 (BI) 和类似工具访问 Snowflake，即使其使用 Snowsight 注册 MFA 也不例外。您可以选择为其他这些工具强制执行 MFA；已注册 MFA 并在 Snowsight 之外使用 MFA 的用户将继续使用 MFA。为 Snowsight 实现可选 MFA 注册的身份验证策略将被覆盖。由于用户使用 Snowsight 登录界面通过 Snowflake OAuth 进行身份验证，他们必须注册 MFA。单点登录用户不受此变更的影响，可以在不做调整的情况下继续访问 Snowsight。旧版服务用户 (`TYPE=LEGACY_SERVICE`) 不受此变更的影响，并且可以继续使用单因素密码访问 Snowsight。

Objective

New behavior

Mandatory MFA for all Snowsight users

人类用户在使用密码访问 Snowsight 时必须使用第二个身份验证因素，无一例外。

请记住以下几点：

此里程碑仅影响 Snowsight。人类用户可以继续使用单因素密码从商业智能 (BI) 和类似工具访问 Snowflake，即使其使用 Snowsight 注册 MFA 也不例外。您可以选择为其他这些工具强制执行 MFA；已注册 MFA 并在 Snowsight 之外使用 MFA 的用户将继续使用 MFA。
为 Snowsight 实现可选 MFA 注册的身份验证策略将被覆盖。
由于用户使用 Snowsight 登录界面通过 Snowflake OAuth 进行身份验证，他们必须注册 MFA。
单点登录用户不受此变更的影响，可以在不做调整的情况下继续访问 Snowsight。
旧版服务用户 (TYPE=LEGACY_SERVICE) 不受此变更的影响，并且可以继续使用单因素密码访问 Snowsight。

For detailed information about how the changes in this bundle affect password and SSO authentication for your users, see Upcoming Multi-Factor Authentication (MFA) enforcement for Snowsight logins with single-factor passwords (https://community.snowflake.com/s/article/Upcoming-MFA-enforcement-for-Snowsight-logins) (Knowledge Base article).

Milestone 2: Strong authentication for new users¶

Milestone 2 will be enforced in accounts on a rolling basis during a three-month period. You'll receive a notification with the enforcement date for your account.

May 2026 - July 2026 [2]

Objective	New behavior
Mandatory MFA for all new human users	All human users that are created after this milestone is enforced must use a second factor when authenticating with a password, including those using BI tools or similar. Human users who existed before the milestone is enforced are not affected. These password users can continue to use BI tools or similar (anything but Snowsight) without a second factor of authentication until the next milestone. For example, suppose this milestone is enforced on May 15, 2026. All human users created on or after this date must use a second factor of authentication regardless of the surface. Human users who existed before this date can continue to use password-only authentication for BI tools, but not Snowsight.
No new legacy service users	All non-human users created after the milestone is enforced must be of type `SERVICE`, which prevents them from using a password. The `LEGACY_SERVICE` type is no longer available when creating a new user object. In addition, administrators cannot change the type of an existing user to `LEGACY_SERVICE`. For example, suppose this milestone is enforced on May 15, 2026. After this date, `TYPE=LEGACY_SERVICE` is an invalid option when executing a CREATE USER or ALTER USER command.

Objective

New behavior

Mandatory MFA for all new human users

All human users that are created after this milestone is enforced must use a second factor when authenticating with a password, including those using BI tools or similar.

Human users who existed before the milestone is enforced are not affected. These password users can continue to use BI tools or similar (anything but Snowsight) without a second factor of authentication until the next milestone.

For example, suppose this milestone is enforced on May 15, 2026. All human users created on or after this date must use a second factor of authentication regardless of the surface. Human users who existed before this date can continue to use password-only authentication for BI tools, but not Snowsight.

No new legacy service users

All non-human users created after the milestone is enforced must be of type SERVICE, which prevents them from using a password. The LEGACY_SERVICE type is no longer available when creating a new user object. In addition, administrators cannot change the type of an existing user to LEGACY_SERVICE.

For example, suppose this milestone is enforced on May 15, 2026. After this date, TYPE=LEGACY_SERVICE is an invalid option when executing a CREATE USER or ALTER USER command.

Milestone 3: Strong authentication for all users¶

Milestone 3 will be enforced in accounts on a rolling basis during a three-month period. You'll receive a notification with the enforcement date for your account.

August 2026 - October 2026 [3]

Objective	New behavior
Mandatory MFA for all human users	When this milestone is enforced, all new and existing human users must use a second factor when authenticating with a password, with no exceptions.
No legacy service users	When this milestone is enforced, all non-human users are blocked from using a password to authenticate. `LEGACY_SERVICE` 用户类型已完全弃用。所有具有 `TYPE=LEGACY_SERVICE` 的现有用户对象均迁移到 `TYPE=SERVICE`，这会阻止他们使用密码。

Objective

New behavior

Mandatory MFA for all human users

When this milestone is enforced, all new and existing human users must use a second factor when authenticating with a password, with no exceptions.

No legacy service users

When this milestone is enforced, all non-human users are blocked from using a password to authenticate.

LEGACY_SERVICE 用户类型已完全弃用。所有具有 TYPE=LEGACY_SERVICE 的现有用户对象均迁移到 TYPE=SERVICE，这会阻止他们使用密码。