Add MFA to every database connection.
A stolen credential is all it takes to access your databases. Authnull puts a phishing-resistant second factor in front of every connection — MySQL, PostgreSQL, Oracle, SQL Server — without changing the database engine or the client tools.
MFA on every database your team touches.
The Authnull agent sits on the database host and intercepts connections before they reach the engine — no schema changes, no stored procedures, no driver swaps.
MySQL / MariaDB
MFA on every connection to MySQL and MariaDB databases — on-prem or cloud-hosted. Agent intercepts at port 3306.
port 3306 · Windows · LinuxPostgreSQL
Protect PostgreSQL connections with a factor challenge before the session is established. Works with psql, pgAdmin, and app drivers.
port 5432 · Windows · LinuxOracle Database
Enforce MFA on Oracle DB access including privileged DBA logins — the accounts with SYSDBA and unrestricted query rights.
1521 · DBA access · TNSSQL Server
Add a second factor to SQL Server connections — covering both app service accounts and human DBA access over SSMS.
1433 · SSMS · service accountsLinux database hosts
The agent runs on Linux servers hosting any supported database — no changes to the DB engine itself, no stored-procedure hooks.
Ubuntu · RHEL · DebianWindows database hosts
Install the agent on Windows Server hosts running MySQL or SQL Server — configured by PowerShell in minutes.
Windows Server · PowerShellAgent on the host. Transparent to the engine.
Authnull installs a lightweight agent on your database server. The agent intercepts connections before they reach the DB process, challenges for a factor, and proxies through on success. Zero changes to the database itself.
Connection flow
Agent install
< 10 minRequire MFA exactly where it matters.
Scope policy by DB user, database name, source IP, and time of day — so your DBA connecting from home gets a hardware key, while a local read-only app account stays unaffected.
MFA is the gate. Visibility and control come with it.
Every feature in the Authnull database module is designed around one goal: you should know exactly who is accessing your data, and be able to stop them if they shouldn't be.
Manage DB privileges alongside MFA — in one place.
Least privilegeMost teams manage database grants separately from identity policy. Authnull ties them together — enforce MFA on who can connect AND enforce which privileges they can exercise, from the same console. SELECT for analysts. INSERT + DELETE for app accounts. Full admin only for your on-call DBA, with a FIDO2 key and a time window.
Phishing-resistant first. Flexible where you need it.
Pick the right factor per policy — hardware key for DBAs, push for power users, TOTP for automation. We're honest about the weak ones.
Four steps from install to enforced.
Database MFA, answered.
How does Database MFA work without changing the database engine?
Authnull installs a lightweight agent on the database server host (Windows or Linux). The agent intercepts incoming connections at the network level before they reach the DB process. It challenges the user for a second factor, then proxies the connection through if the factor is approved — the database engine never sees a failed auth attempt.
Which databases are supported?
MySQL / MariaDB (port 3306) and PostgreSQL (port 5432) are fully supported on both Windows and Linux today. Oracle DB and SQL Server support is available — contact us to confirm your exact version and platform.
Does this work for application service accounts, not just humans?
Yes. For service accounts that can't complete an interactive push, Authnull supports TOTP-based factors that can be embedded in automation, or time-boxed credential grants that expire automatically. You can also scope MFA enforcement to human users only and leave service accounts on a separate policy.
Can I require MFA only for privileged database users?
Yes. Policy is scoped by DB user, database name, source IP, and time of day — so you can require a hardware key for DBA accounts connecting from outside the network, while read-only app accounts are unaffected.
What does the agent install look like?
On Linux, you run a shell script (run_agent.sh) downloaded from your tenant. On Windows, a PowerShell script handles the install. Both generate an agent key tied to your org — the agent phones home to Authnull over HTTPS, not the other way around.
Does Authnull log every database connection?
Yes. Every connection attempt — successful or blocked — is recorded in the auth log with user, source, database, timestamp, and factor result. Logs are searchable and can be exported or forwarded to a SIEM.
Put MFA on your databases this week.
Start with MySQL or PostgreSQL on one host, or have us scope your full database environment in 20 minutes and map a rollout.