Database Account Two-Factor Authentication (2FA)


MariaDB SkySQL supports database account 2FA (two-factor authentication) as an option:

  • This feature is not enabled by default. By default, database users are authenticated by single factor, password.

  • When enabled, users are authenticated by password and a second factor via PAM.

  • Database Account 2FA is available to Power Tier customers.


  • Distributed Transactions

  • Multi-Node Analytics

  • Replicated Transactions

  • Single Node Analytics

  • Single Node Transactions

Enable Database Account 2FA

  1. Launch the SkySQL service to be linked.

  2. Contact SkySQL Support to request database account 2FA:

    • Provide the SkySQL Service name.

  3. Additional instructions on configuration and usage are provided by SkySQL Support.

Service Configuration for PHP

When database account 2FA is enabled for a SkySQL service that uses MariaDB Enterprise Server, the service requires extra configuration to accept connections from PHP.

By default, Enterprise Server's pam authentication plugin tells the client to provide the password or authentication token using the dialog client authentication plugin. PHP does not currently support the dialog client authentication plugin, so PHP applications can not authenticate via pam with the default service configuration. When authentication is attempted, a warning or error is raised with the following message:

mysqli_connect(): The server requested authentication method unknown to the client [dialog] in SOURCE_FILE on line SOURCE_LINE

However, PHP does support the mysql_clear_password client authentication plugin, which can be used instead of the dialog client authentication plugin.

MariaDB Enterprise Server can be configured to use mysql_clear_password instead of dialog by enabling the pam_use_cleartext_plugin system variable. The pam_use_cleartext_plugin system variable can be enabled as a custom configuration. For more information, contact MariaDB Support.