Cloud warehousing firm Snowflake is making multifactor authentication (MFA) mandatory for all users next year through a phased approach that will start in April 2025 and be completed seven months later.

Users who haven’t enabled their accounts with MFA by November 2025 will be blocked from accessing them, the company announced this month.

Snowflake joins a slow but steady beat of IT vendors – including cloud computing giants Google Cloud and Microsoft Azure – that are taking the step of making MFA mandatory for signing into accounts to strengthen the authentication and verification processes and protect against credential theft. Amazon Web Services (AWS) this week said it was making gains moving root user accounts to using MFA, with the goal of making MFA mandatory for all users with root access by next spring.

The company’s announcement follows a similar one in September, when it made MFA the default for all new accounts with password sign-ins opened starting in October. In both instances, Snowflake officials noted that the company had signed a pledge adhering to CISA’s secure by design push to make security a key design point in software throughout the development process.

From Vulnerabilities to Identity

Hackers in recent years have shifted their efforts to gain initial access into networks and systems from exploiting security flaws and toward identity and credentials. Despite investments by companies in security awareness and training programs, human beings continue to be the weakest link in cybersecurity, from falling for phishing lures or misconfigurations to using easy-to-break passwords or reusing passwords for multiple online accounts.

There is a push among organizations like the FIDO Alliance and vendors such as Microsoft, Apple, and Google to eventually move away entirely from passwords to more secure authentication tools, including biometrics and passkeys.

Speaking from Experience

Snowflake executives understand the importance of secure accounts. A hacker using stolen credentials earlier this year was able to break into the Snowflake accounts of more than 160 customers, including such names as AT&T, Ticketmaster, Neiman Marcus, Pure Storage, and Santander Bank. The hacker stole data and later tried to extort money from several victims.

A 26-year-old Canadian man was arrested last month in connection with the attacks.

Three-Step Process

Snowflake will phase in the mandatory MFA initiative over three stages, with the first coming in April, when human users with accounts that don’t have a customized authentication policy will need to enroll in MFA the next time they into Snowflake using a password.

In August, mandatory MFA will extend to all human users, even those with a custom authentication policy. In November, the vendor will block all sign-ins using a single password, including human users with interactive logins and service users that use programmatic access.

Snowflake executives said the vendor “will continue investing in the security capabilities of our customer accounts and bring more products and innovations to this space, such as native support for passkeys and time-based one-time password (TOTP) including authenticator apps.”

They added that those will add to other security efforts at Snowflake, such as Leaked Password Protection, and Trust Center, along with the MFA policies and programmatic access tokens, which will hit private preview soon.

Tactics for Bypassing MFA

While mandatory MFA is a strong step in the right direction, there are no guarantees it will stop all attacks. Cybersecurity firm Upguard last month noted that “while MFA may discourage amateur cybercriminals from attempting further compromise, more skilled hackers bypass MFA requirements using several tactics. … There are many ways hackers can bypass MFA to carry out devastating cyber attacks – and this list is growing.”

Those techniques include social engineering – including phishing – tricking victims into revealing sensitive information or into clicking on a malicious link. There also is consent phishing, where “hackers can pose as legitimate OAuth login pages and request whichever level of access they need from a user,” Upguard wrote. “If granted these permissions, the hacker can successfully bypass the need for any MFA verification, potentially enabling a full account takeover.”

Bad actors can also use brute force attacks, exploit generated tokens, steal cookies – also known as session hijacking – and SIM hacking via tactics like SIM swapping, SIM cloning, and SIM-jacking.