Database MFA · MySQL · PostgreSQL · Oracle · SQL Server

Add MFA to every database connection.

A stolen credential is all it takes to access your databases. Authnull puts a phishing-resistant second factor in front of every connection — MySQL, PostgreSQL, Oracle, SQL Server — without changing the database engine or the client tools.

Get in touch
No DB engine changesWindows & Linux agentsFull connection audit trail
Supported databases & platforms

MFA on every database your team touches.

The Authnull agent sits on the database host and intercepts connections before they reach the engine — no schema changes, no stored procedures, no driver swaps.

MySQL / MariaDB

MFA on every connection to MySQL and MariaDB databases — on-prem or cloud-hosted. Agent intercepts at port 3306.

port 3306 · Windows · Linux

PostgreSQL

Protect PostgreSQL connections with a factor challenge before the session is established. Works with psql, pgAdmin, and app drivers.

port 5432 · Windows · Linux

Oracle Database

Enforce MFA on Oracle DB access including privileged DBA logins — the accounts with SYSDBA and unrestricted query rights.

1521 · DBA access · TNS

SQL Server

Add a second factor to SQL Server connections — covering both app service accounts and human DBA access over SSMS.

1433 · SSMS · service accounts

Linux database hosts

The agent runs on Linux servers hosting any supported database — no changes to the DB engine itself, no stored-procedure hooks.

Ubuntu · RHEL · Debian

Windows database hosts

Install the agent on Windows Server hosts running MySQL or SQL Server — configured by PowerShell in minutes.

Windows Server · PowerShell
How it works

Agent on the host. Transparent to the engine.

Authnull installs a lightweight agent on your database server. The agent intercepts connections before they reach the DB process, challenges for a factor, and proxies through on success. Zero changes to the database itself.

Connection flow

Client (psql / SSMS / app)
↓ TCP connection attempt
Authnull DB Agent
↓ MFA challenge issued
User approves factor
↓ connection proxied through
Database engine (MySQL / PG)
No changes to the DB engine or schema.Works with any client — psql, SSMS, DBeaver, app drivers.Factor challenge is invisible to the database itself.

Agent install

< 10 min
# Linux
$ curl -O run_agent.sh
$ sudo ./run_agent.sh add
# Windows
PS> ./mysql-db-agent-install.ps1
Linux: shell script via curl, one command to install.Windows: PowerShell script, no elevated domain rights needed.Agent key ties to your Authnull tenant — HTTPS outbound only.Agent must be able to reach Authnull over HTTPS at connection time.
Granular policy

Require MFA exactly where it matters.

Scope policy by DB user, database name, source IP, and time of day — so your DBA connecting from home gets a hardware key, while a local read-only app account stays unaffected.

DB userGroupDatabaseSource IPTime of dayTable / schema
Policy · Privileged DB accessenabled
WHEN db_user in dba_admins
AND source outside corp network
AND database production_*
REQUIRE FIDO2 security key
ELSE allow with authenticator
Platform capabilities

MFA is the gate. Visibility and control come with it.

Every feature in the Authnull database module is designed around one goal: you should know exactly who is accessing your data, and be able to stop them if they shouldn't be.

Full connection audit trail
Every database login is logged — who connected, from where, to which database, at what time. Searchable and exportable.
Least-privilege enforcement
Manage and enforce database user privileges (SELECT, INSERT, DELETE, EXECUTE) alongside MFA — not as separate tools.
Connection dashboard
See live and historical connections across all your databases in one view. Filter by host, user, database, or status.
Just-in-time access
Grant time-boxed database access with MFA at the moment of elevation — no standing privileged sessions.
Credential vaulting
Rotate and vault database credentials so service accounts never use hard-coded passwords — the agent handles the rotation.
Bridge to full PAM
When you need session recording or approval workflows, the same database identities extend into Authnull privileged access.

Manage DB privileges alongside MFA — in one place.

Least privilege

Most teams manage database grants separately from identity policy. Authnull ties them together — enforce MFA on who can connect AND enforce which privileges they can exercise, from the same console. SELECT for analysts. INSERT + DELETE for app accounts. Full admin only for your on-call DBA, with a FIDO2 key and a time window.

SELECTINSERTUPDATEDELETEEXECUTECREATE USERDROPBACKUP_ADMIN
Supported methods

Phishing-resistant first. Flexible where you need it.

Pick the right factor per policy — hardware key for DBAs, push for power users, TOTP for automation. We're honest about the weak ones.

FIDO2 / security keys
phishing-resistant
Push approval
number matching
Authenticator (TOTP)
offline-capable
Hardware OTP
YubiKey · tokens
Email
recovery only
SMS
not phishing-resistant
Passkeys
passwordless
Offline TOTP
air-gapped
Live in an afternoon

Four steps from install to enforced.

01

Install the agent

Run the install script on your database server host — Linux shell script or Windows PowerShell. One command.

~ 10 min
02

Connect your tenant

The agent registers with your Authnull tenant using a generated key. It shows up in the dashboard immediately.

~ 5 min
03

Set your policy

Choose which DB users require a second factor, which databases are in scope, and which factor to require.

~ 15 min
04

Enforce & verify

Flip enforcement on. Connect with a test account and confirm the factor challenge in Authnull logs.

same day
Helps you evidence
PCI DSS v4.0SOC 2 Type IIHIPAACMMC 2.0
FAQ

Database MFA, answered.

How does Database MFA work without changing the database engine?

Authnull installs a lightweight agent on the database server host (Windows or Linux). The agent intercepts incoming connections at the network level before they reach the DB process. It challenges the user for a second factor, then proxies the connection through if the factor is approved — the database engine never sees a failed auth attempt.

Which databases are supported?

MySQL / MariaDB (port 3306) and PostgreSQL (port 5432) are fully supported on both Windows and Linux today. Oracle DB and SQL Server support is available — contact us to confirm your exact version and platform.

Does this work for application service accounts, not just humans?

Yes. For service accounts that can't complete an interactive push, Authnull supports TOTP-based factors that can be embedded in automation, or time-boxed credential grants that expire automatically. You can also scope MFA enforcement to human users only and leave service accounts on a separate policy.

Can I require MFA only for privileged database users?

Yes. Policy is scoped by DB user, database name, source IP, and time of day — so you can require a hardware key for DBA accounts connecting from outside the network, while read-only app accounts are unaffected.

What does the agent install look like?

On Linux, you run a shell script (run_agent.sh) downloaded from your tenant. On Windows, a PowerShell script handles the install. Both generate an agent key tied to your org — the agent phones home to Authnull over HTTPS, not the other way around.

Does Authnull log every database connection?

Yes. Every connection attempt — successful or blocked — is recorded in the auth log with user, source, database, timestamp, and factor result. Logs are searchable and can be exported or forwarded to a SIEM.

Put MFA on your databases this week.

Start with MySQL or PostgreSQL on one host, or have us scope your full database environment in 20 minutes and map a rollout.

Get in touchTalk to us