The MFA token was generated but not used within its validity window (usually 30 seconds for TOTP). The user's device clock is out of sync, causing tokens to be calculated for the wrong time window. A cached MFA token was replayed after it expired. The MFA passcode was typed incorrectly or with extra whitespace. The Duo Push approval timed out before the user responded

Synchronize the device clock — TOTP tokens are time-based and a 30-second drift causes 390195.. Use a freshly generated token, not one that has been waiting on a clipboard.. For Duo Push, respond to the push notification promptly before it expires.. If using MFA token caching, verify that the cached token has not expired: ALTER USER ... SET MINS_TO_BYPASS_MFA = N.. For service accounts, consider switching to key-pair authentication to eliminate MFA dependency in automated pipelines.

Medium severityaccess controlSnowflake →

Snowflake Error:
390195

What does this error mean?

Snowflake rejected the MFA token because it had already expired or been used by the time the connection was authenticated — the Duo push or TOTP code was not presented quickly enough.ed, was already used, or was presented outside its valid time window.

Common causes

1The MFA token was generated but not used within its validity window (usually 30 seconds for TOTP)
2The user's device clock is out of sync, causing tokens to be calculated for the wrong time window
3A cached MFA token was replayed after it expired
4The MFA passcode was typed incorrectly or with extra whitespace
5The Duo Push approval timed out before the user responded

How to fix it

1Synchronize the device clock — TOTP tokens are time-based and a 30-second drift causes 390195.
2Use a freshly generated token, not one that has been waiting on a clipboard.
3For Duo Push, respond to the push notification promptly before it expires.
4If using MFA token caching, verify that the cached token has not expired: ALTER USER ... SET MINS_TO_BYPASS_MFA = N.
5For service accounts, consider switching to key-pair authentication to eliminate MFA dependency in automated pipelines.

Frequently asked questions

Can I temporarily bypass MFA for a specific user?

Yes — an admin can run ALTER USER username SET MINS_TO_BYPASS_MFA = 60 to allow the user to authenticate without MFA for up to 60 minutes. This is intended for emergency access, not routine operations.

Does Snowflake support MFA token caching to reduce repeated prompts?

Yes. Set ALLOW_CLIENT_MFA_CACHING = TRUE at the account or user level. Clients then cache the MFA token for the duration set by MINS_TO_BYPASS_MFA, reducing repeated authentication prompts during a work session.

Source · docs.snowflake.com/en/error-codes/error-390195