Multi-factor authentication with Duo
You can use Cyral to require multi-factor authentication (MFA) for data users. Once you've configured a Duo integration in Cyral, you can add an access condition on any repository to require its users to complete Duo authentication each time they access the repository.
Supported repository types
MFA with Duo is supported on the following repository types: MariaDB, MongoDB, MySQL, Oracle, PostgreSQL, Redshift, and Microsoft SQL Server.
Prerequisites
Prerequisites for setting up Duo MFA in Cyral
- Connect Cyral's SSO integration to your identity provider.
- Add a Duo integration to cyral
Prerequisites for authenticating users with Duo MFA
- To authenticate with Duo MFA, the user must log in with a username that matches their username in Duo. You can achieve this manually or by using directory synchronization between Duo and your SSO identity provider.
- For each combination of user and repository where MFA will be required, your repository configuration in Cyral must contain an access rule with a restrict-access condition requiring Duo integration.
- Each MFA-authenticated data user must have a mobile authenticator app from Duo Security:
For more information, see Login experience for data users, below.
Add a Duo integration to Cyral
First, in your Duo management console, create an application that will protect your repositories via Cyral:
- In the Duo management console, go to Applications
- Select Protect an Application
- Choose Partner Auth API and click Protect. Once you've done this,
Duo provides three pieces of information that you'll need in order to
connect Cyral and Duo. Copy these values to a safe location or keep
this tab open. The values are:
- integration key
- secret key
- API hostname
Next, in the Cyral control plane UI, add the Duo MFA integration:
- Click Integrations in the left panel of the Cyral control plane UI.
- Find the Duo card and click Setup or Configure.
- In the new window click New Integration.
- In the configuration form, provide the integration key, secret key, and API hostname you copied from Duo earlier. Name the integration as you like and click Add to complete the integration.
Duo MFA authentication will only be required for those user-repository combinations where you've enabled it. Proceed to the next section to require Duo MFA for one or more users of a repository.
Require Duo multi-factor authentication on a repository
For each combination of user and repository where MFA will be required, your repository configuration in Cyral must contain an access rule for the SSO user(s) who will authenticate with MFA on this repository, and each such access rule must contain a restrict-access condition that's set to use your Duo integration.
note
For a given repository protected in Cyral, there is no setting that enables MFA for all users of that repository. Instead, in the repository configuration in Cyral, you must add access rules for the users who will authenticate with MFA on this repository, and each of these access rules must contain the MFA requirement. If you wish to ensure that all users use MFA on the repository, check all the access rules on the repository, making sure that each contains the Duo MFA requirement.
In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the User Authentication tab.
Follow the instructions in Add an access rule, and choose the name of your Duo integration in the Additional Access Restrictions section.
Now that you've created the mapping for the SSO group or user you specified, Duo MFA authentication will be required anytime this user / a user from this group tries to connect to this repository. Repeat the above steps to require MFA for other repositories, or for other users on this repository.
Login experience for data users
When the user connects to and MFA-protected repository, their Duo mobile application will prompt them to complete the authentication on their mobile device.
See Prerequisites for authenticating users with Duo MFA, above.
Making MFA more usable for your users
DataGrip: Reducing the number of MFA prompts users see
When using DataGrip to connect to an MFA-protected database, users can reduce the number of MFA approval requests they receive by setting the single session mode option in DataGrip.
To set this up in DataGrip, edit your data source for the repository. In the properties of the data source, click Options and turn ON Single-session mode.
MongoDB: Reducing the number of MFA prompts users see
MongoDB users who connect with any tool that uses the MongoDB Node.js driver (MongoDB Compass, MongoDB Shell, etc.) will receive multiple MFA approval requests when connecting, as well as extra MFA approval requests when they submit queries. See our support article for a workaround.