MySQL Blog Archive
For the latest blogs go to blogs.oracle.com/mysql
MySQL Enterprise Security 4 New Authentication Methods

Introduction

Data is an organization’s most valuable asset.  And for the CISO (Chief Information Security Officers), protecting that data is their primary concern and responsibility.

MySQL Enterprise Edition provides powerful security capabilities for: 

•    Increased protection against database attackers
•    Regulatory Compliance (GDPR, PCI, HIPAA, etc.)
•    Simplified and improved user authentication   
•    Lower IT management costs 

According to the Identity Theft Resource Center's 2021 Data Breach Report, there were 1,862 data breaches last year, surpassing the previous record set in 2017. In addition, authentication weaknesses were responsible for 80% of breaches in the financial sector.  Database attackers that illegally gain access to a user account can steal Personally Identifiable Information (names, social security numbers, medical records) and conduct financial transactions on behalf of the user.  Reducing the risk of authentication vulnerability is a top priority.   

MySQL Enterprise Authentication recently added the following advanced authentication capabilities:

1.    Multi-factor Authentication
2.    LDAP and Active Directory Authentication
3.    Native Kerberos Authentication
4.    Password-less Authentication - FIDO (Fast Identity Online)
 

MySQL Advance Authentication Methods

Let’s take a closer look at each of these methods.


Multi-factor Authentication

By adding multiple factors, the complexity of simply guessing or otherwise stealing a password and immediately being able to connect into a database is blocked. MFA needs additional passwords such as user device code, security question response, fingerprint, or face recognition. MySQL can have up to 3 factors in which ever order is desired. The PCI DSS 8.2 now requires MFA - see PCI DSS Guide.

For example here - Alice will need to provide first a MySQL password followed by her LDAP password.

CREATE USER 'alice'@'localhost'IDENTIFIED WITH caching_sha2_password BY 'sha2_password'AND IDENTIFIED WITH authentication_ldap_sasl AS 'uid=u1_ldap,ou=People,dc=example,dc=com';

Alternatively instead we could ALTER the account and require FIDO authentication with a YubiKey for example.

ALTER USER 'alice'@'localhost' MODIFY 2 FACTOR IDENTIFIED WITH authentication_fido;

Or we could add a third factor.

ALTER USER 'alice'@'localhost' ADD 3 FACTOR IDENTIFIED WITH authentication_fido;

Many guidelines now recommend requiring non-password authentication as the first factor. Obviously, MFA significantly improves security.


LDAP and Active Directory Authentication

IT environments, especially within large organizations can be complex. Centralizing user account management reduces IT management costs as well as provides consistency, so users don't have to have different credentials across resources.

MySQL Servers that run on Windows can use the MySQL Enterprise Windows Authentication to authenticate via MySQL Active Directory.

CREATE USER sql_admin IDENTIFIED WITH authentication_windows AS 'Rafal, Tasha, Administrators, "Power Users"';

MySQL Servers running on Linux Operating systems can use MySQL Enterprise LDAP Authentication, which can be configured to authenticate to both LDAP Servers or Active Directory Servers. 

MySQL Enterprise LDAP Authentication also includes support for

  • SASL - Simple Authentication and Security Layer
  • GSSAPI/Kerberos Authentication

In this mode applications authenticate to Kerberos to obtain service credentials, then use those credentials in turn to enable secure access to MySQL. Mapping to groups of users in an LDAP Directory Server or Active Directory can be configured using the MySQL Proxy user which maps groups of users in MySQL to a respective LDAP grouping.


Native Kerberos

MySQL Kerberos Authentication makes use of user Kerberos Tickets for authentication. For Linux these are MIT based and use the GSSAPI (Generic Security Services Application Program Interface). On Windows both standard Windows Kerberos via SSPI (Security Support Provider Interface) and MIT Kerberos via GSSAPI are each supported.

For Kerberos, once configuration is complete

For example

[mysqld]

plugin-load-add=authentication_kerberos.so

authentication_kerberos_service_principal=mysql/krbauth.example.com@MYSQL.LOCAL

authentication_kerberos_service_key_tab=/var/mysql/data/mysql.keytab

then users can be created.

CREATE USER user IDENTIFIED WITH authentication_kerberos BY 'realm_name'; 

From there the user can run knit if on linux or for GSSAPI on Windows.

$> kinit karl@MYSQL.LOCAL Password for karl@MYSQL.LOCAL: (enter password here)

Checkout the ticket

$> klist

Ticket cache: FILE:/tmp/krb5cc_244306
Default principal: karl@MYSQL.LOCAL
Valid starting                  Expires                         Service principal
03/23/2021 08:18:33     03/23/2021 18:18:33     krbtgt/MYSQL.LOCAL@MYSQL.LOCAL

And then login in most common case without providing the username or password. 

mysql ... --default-auth=authentication_kerberos_client

 


Password-less Authentication - FIDO (Fast Identity Online)

MySQL DBAs can create users that authenticate to MySQL Server using FIDO authentication from the FIDO Alliance. This alliance is an open industry association whose goal is to provide authentication standards for device attestation such as smart cards, security keys, and biometric readers thus reducing the world’s over-reliance on passwords. FIDO collaborates with W3C (World Wide Web - International Standards) and others.

With FIDO protocols, the DBA creates a user, the user then registers the device requiring a local auth to the device - for example a pin - with the MySQL server. Once registered the user then connects using that device to authenticate.

For single authentication with the FIDO device, you create the user with an initialization password.

CREATE USER user IDENTIFIED WITH authentication_fido INITIAL AUTHENTICATION IDENTIFIED BY {RANDOM PASSWORD | 'auth_string'};

Next the user registers using that password and their fido registration factor.

$> mysql --user=u1 --password --fido-register-factor=2

Enter password:***************

Then, only the device is required for the user to authenticate.
 

Hardware Auth FIDO Yubikey

The UAF protocol works within TLS to perform verification.

FIDO Architecture

 

Often FIDO is combined with another factor to implement 2-factor authentication (something you know + something you have). In this case, a FIDO device.


Conclusion

MySQL Enterprise Security now includes 4 new advanced authentication capabilities.  A little effort to implement these capabilities goes a long way towards protecting your organization’s most valuable asset – your data.