Authentication and MFA
Authentication is handled by the Snowflake SDK, not this library. However, users frequently ask about Snowflake’s upcoming MFA requirements and how they’ll be affected.
This document explains your authentication options.
Snowflake will require Multi-Factor Authentication (MFA) for human users by November 2025, and deprecate the use of passwords for service users in several phases.
Libraries like this one are often used in backend services, which would be considered service users.
For complete details, see Snowflake’s official guidance: Planning for the deprecation of single-factor password sign-ins.
Available options
Here are the available authentication options from the SDK documentation:
| Authentication Method | Supports Human Users? | Supports Service Users? | Notes |
|---|---|---|---|
| Password-based authentication | Yes | No | Once MFA is enabled, requires Duo approval on user device |
| Single sign-on (SSO) through a web browser | Yes | No | User completes login using a web browser |
| OAuth (Snowflake Built-in) | Yes | No | Requires browser interaction |
| OAuth (External) ❄️ Snowflake recommended | Yes | Depends on provider | |
| Native SSO through Okta | ? | ? | Not tested by us |
| Key pair authentication ❄️ Snowflake recommended | No | Yes |
Compatibility
All authentication methods listed above work with this library. Authentication is configured through options passed to snowflake.createConnection.
Methods requiring user interaction (browser SSO, Duo prompts) will pause execution during authentication, making them unsuitable for backend services.
Snowflake Recommendation
For service users: We recommend using external OAuth when possible, and if not, using key pair authentication to eliminate passwords altogether for such users. We strongly advise enabling network policies when using key pair authentication and, in general, to enable network policies for all user types, not just service users.
Recommendations
For service users, use External OAuth or Key Pair Authentication.
External OAuth
Following Snowflake’s guidance, External OAuth is a recommended authentication method for service users. Documentation for Snowflake’s External OAuth implementation can be found here:
OAuth requires complex initial configuration typically handled by your IT department. Most developers cannot implement OAuth authentication independently.
If your company already uses an external identity provider (IdP), it can likely be configured to work with Snowflake’s External OAuth.
Key Pair Authentication
The other recommended authentication method is key pair authentication. Documentation can be found here:
This method requires generating key pairs and adding the public key to your Snowflake user. Developers can often complete this setup independently.
Important: Store private keys securely using services like AWS Secrets Manager or Azure Key Vault.
Snowflake provides the ability to rotate keys without downtime, which is a valuable feature. See the Configuring Key Pair Rotation section in the documentation.
For an example implementation, see our Key Pair Authentication example code.