2021-11

2023-11-09 Multifactor SSO Authentication for Postgres on Kubernetes

Did you know that PostgreSQL 12 introduced a way for you to provide multifactor (aka “two-factor”) authentication to your database?

This comes from the ability to set clientcert=verify-full as part of your pg_hba.conf file, which manages how clients can authenticate to PostgreSQL.

When you specify clientcert=verify-full, PostgreSQL requires a connecting client to provide a certificate that is valid against its certificate authority (CA) and the certificate’s common name (CN) matches the username the client is authenticating as.

This is similar to using the cert method of authentication.