Full Report
The multi-cloud data warehousing platform said it will completely phase out single factor authentication with passwords by November 2025
Analysis Summary
# Best Practices: Mandating Multi-Factor Authentication (MFA)
## Overview
These practices focus on the critical security step of eliminating single-factor authentication (SFA) via passwords to mitigate risks associated with credential theft, as highlighted by recent high-profile breaches utilizing compromised customer credentials. The core strategy is the mandatory adoption and enforcement of Multi-Factor Authentication (MFA) across all user accounts.
## Key Recommendations
### Immediate Actions
1. **Establish MFA as Default for New Accounts:** Configure all new user accounts, systems, and services to mandate MFA enrollment immediately upon initial password-based sign-in, effective immediately (or by Q4 2024, mirroring leading industry timelines).
2. **Inventory Authentication Policies:** Audit all existing accounts and authentication policies within critical systems (e.g., data platforms, cloud environments) to identify those currently relying solely on passwords.
### Short-term Improvements (1-3 months)
1. **Initiate Phased MFA Enforcement for Existing Users (Human Accounts):** Begin the process of forcing existing human users who currently use only passwords to enroll in MFA during their next login attempt. Implement this as a non-bypassable prompt.
2. **Implement Custom Authentication Policies (If Applicable):** If the platform allows, create and apply custom authentication policies that mandate MFA for groups lacking existing MFA configuration, beginning the phasing out of reliance on universal default policies.
3. **Communicate and Educate:** Deploy an organization-wide communication campaign detailing the upcoming MFA mandate timeline, the security necessity, and step-by-step instructions for MFA setup.
### Long-term Strategy (3+ months)
1. **Enforce MFA for All Password Sign-ins:** Establish a hard deadline (e.g., August 2025) where all password-based sign-ins for human users will require successful MFA verification.
2. **Completely Block SFA Access:** Schedule and execute the final cutoff (e.g., November 2025) to completely block *any* sign-in attempt to the platform or system that relies only on single-factor authentication (i.e., passwords without a second factor).
## Implementation Guidance
### For Small Organizations
- **Prioritize Core Access:** Immediately apply MFA to administrative accounts, privileged access accounts, and accounts accessing core data repositories (like data warehouses or critical SaaS platforms).
- **Use Simple MFA Methods:** Start with easily deployable MFA methods like authenticator apps (TOTP) or SMS (while noting the security limitations of SMS).
### For Medium Organizations
- **Develop Phased Rollout Plan:** Create a formal project plan correlating user groups with MFA enforcement dates, ensuring adequate helpdesk support is ready for increased authentication troubleshooting.
- **Utilize Centralized Management:** If using an identity provider (IdP), configure the MFA requirements centrally to ensure consistency across integrated applications.
### For Large Enterprises
- **Mandate Stronger Factors:** Prioritize the deployment of phishing-resistant MFA methods (e.g., FIDO2/WebAuthn hardware tokens or certificate-based authentication) over traditional TOTP or push notifications for highly privileged roles.
- **Leverage Security Posture Tools:** Use unified security frameworks (like Snowflake Horizon Catalog, if applicable) to centrally monitor MFA adoption rates and enforce security posture settings across all cloud tenants and user groups.
## Configuration Examples
*Specific configuration instructions depend heavily on the platform (e.g., Snowflake, Azure AD, AWS). However, the general configuration objective is:*
**Configuration Target: Enforcing MFA on Password-Based Login**
1. **Policy Creation:** Define an Authentication Policy (or Conditional Access Policy) targeting the user principals.
2. **Assignment:** Assign this policy to all user roles, specifically targeting non-service accounts.
3. **Control Requirement:** Set the required grant control to "Require Multi-Factor Authentication" (or equivalent).
4. **Exclusion Management (Temporary):** Temporarily exclude service accounts (non-human access) until their identity management solution is upgraded to support machine-based authentication methods that do not rely on user MFA.
## Compliance Alignment
- **NIST SP 800-63B (Digital Identity Guidelines):** Achieving Digital Identity Assurance Level 2 (IAL2) or 3 (IAL3) requires multi-factor authentication.
- **ISO/IEC 27001 (A.5.15 & A.8.3):** Aligns with requirements for strong access control and secure authentication mechanisms.
- **CISA Secure by Design Pledge:** Direct adherence to foundational principles of securing products against credential compromise.
## Common Pitfalls to Avoid
- **Delaying the Final Cutoff:** Setting an initial enforcement date but failing to enforce the hard block against SFA, allowing legacy insecure access to persist.
- **Excluding Critical Administrators:** Failing to apply the strongest MFA policies to the highest-privileged accounts first, leaving the "keys to the kingdom" vulnerable.
- **Relying on Weak MFA:** Utilizing SMS-based MFA for all users without plans to upgrade to phishing-resistant methods, as SMS factors are often susceptible to interception.
- **Ignoring Non-Human Identities:** Implementing MFA only for named employees while neglecting the proper management and stronger authentication factors for service accounts and API keys.
## Resources
- **CISA Secure by Design Initiative:** Documentation regarding commitments to secure product architecture.
- **Platform Documentation:** Specific guides from identity providers (e.g., Okta, Azure AD, G Suite) on configuring mandatory MFA policies.
- **NIST 800-63B:** Standards document detailing authentication assurance levels.