Authentication and MFA
Authentication is configured using the standard Snowflake SDK, not the Snowflake Promise Helper library.
The Promise Helper Library is not directly involved in the authentication process.
Users of this library have expressed concern about upcoming MFA requirements and how they might be affected. This document summarizes your options.
Snowflake will require Multi-Factor Authentication (MFA) for human users by November 2025, and deprecate the use of passwords for service users in several phases.
Libraries like this one are often used in backend services, which would be considered service users.
The Snowflake web site has guidance:
Available options
Here are the available authentication options from the SDK documentation:
| Authentication Method | Supports Human Users? | Supports Service Users? | Notes |
|---|---|---|---|
| Password-based authentication | Yes | No | Once MFA is enabled, requires Duo approval on user device |
| Single sign-on (SSO) through a web browser | Yes | No | User completes login using a web browser |
| OAuth (Snowflake Built-in) | Yes | No | Requires browser interaction |
| OAuth (External) ❄️ Snowflake recommended | Yes | Depends on provider | |
| Native SSO through Okta | ? | ? | Not tested by us |
| Key pair authentication ❄️ Snowflake recommended | No | Yes |
Does it Work with the SDK and this Library?
All of the listed methods work with the SDK and this library. Authentication is configured using options passed to the snowflake.createConnection method.
For authentication methods that require user interaction, the connect or connectAsync method will pause while the user completes the interaction, which can be a browser-based interaction or a Duo authentication prompt. Obviously these methods are not suitable for use in back-end services.
Snowflake Recommendation
For service users: We recommend using external OAuth when possible, and if not, using key pair authentication to eliminate passwords altogether for such users. We strongly advise enabling network policies when using key pair authentication and, in general, to enable network policies for all user types, not just service users.
Guidance
Use External OAuth or Key Pair Authentication.
External OAuth
Following Snowflake’s guidance, External OAuth is a recommended authentication method for service users. Documentation for Snowflake’s External OAuth implementation can be found here:
OAuth authentication requires significant, complex, initial configuration that is best done by your company’s IT department. In most cases, it is not possible for developers to implement OAuth authentication on their own.
In many companies, an external identity provider (IdP) is already used to manage user authentication. This IdP can be leveraged to support Snowflake using External OAuth.
Key Pair Authentication
The other recommended authentication method is key pair authentication. Documentation can be found here:
This requires a somewhat complex initial setup where keys need to be generated and a public key added to the Snowflake user. Developers may be able to complete this setup on their own.
The private key must be stored securely. Consider using a solution such as AWS Secrets Manager or Azure Key Vault.
Snowflake provides the ability to rotate keys without downtime, which is a valuable feature. See the Configuring Key Pair Rotation section in the documentation.
For an example implementation, see our Key Pair Authentication example code.