{"id":10748,"date":"2021-02-23T01:45:12","date_gmt":"2021-02-23T09:45:12","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=10748"},"modified":"2025-06-13T19:27:57","modified_gmt":"2025-06-14T02:27:57","slug":"multi-factor-authentication-mfa-2fa","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/","title":{"rendered":"Deep Dive on Multi-Factor Authentication"},"content":{"rendered":"<p><span style=\"font-weight: 400\">In this article I will explain what multi-factor authentication is, why you should be using it and how to easily implement it with Couchbase Server.\u00a0 We\u2019ll look at using both software and hardware implementations, which offer a tradeoff between cost, convenience and security.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">What is<br \/>\nMulti-Factor Authentication ?\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Authentication on a Couchbase cluster is secured with a combination of user passwords, Role Based Access Control (RBAC) and, optionally, x.509 certificates.\u00a0 Passwords have been around a long time and have served their purpose well but using them alone leaves you open to various hacking techniques.\u00a0 The good news is that passwords can be augmented with additional user information for higher levels of security in what is known as Multi-factor authentication (MFA).\u00a0 You may sometimes also see this referred to as 2nd factor authentication (2FA), though 2FA is really just a subset of the wider capabilities of MFA, which can combine not just two factors, but many varied forms.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">The basics of Multi-factor authentication is authenticating a user by validating two or more claims presented by the user, each from a different category of factors. Let\u2019s look at an example that you\u2019ve been using for years and probably never even realised; using an Automated Teller Machine (ATM) to withdraw money.\u00a0 <\/span><\/p>\n<div id=\"attachment_10751\" style=\"width: 460px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10751\" class=\"wp-image-10751 size-medium\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-300x225.png\" alt=\"MFA Factors\" width=\"450\" height=\"350\" \/><\/a><p id=\"caption-attachment-10751\" class=\"wp-caption-text\">ATM multi-factor authentication<\/p><\/div>\n<p><span style=\"font-weight: 400\"> Your bank will require you to insert your smart chip equipped bank card into the machine and input a pin code.\u00a0 You are going to be recorded on video, which could be used for facial recognition and they will have limits on how much you can withdraw per day.\u00a0 The bank will also use fraud detection algorithms which will block your transaction if you are located somewhere physically different to where your last transaction was recorded, if it\u2019s impractical to travel that distance in the intervening time period.\u00a0 If the transaction is from a location that is highly suspect, where you aren\u2019t normally located, you might even get a phone call from the bank to confirm.\u00a0 Let\u2019s review the different authentication factors that are available.<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><span style=\"font-weight: 400\">Something you Know<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">(Knowledge factors)<\/span><\/td>\n<td>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">ATM Pin<\/span><\/li>\n<li><span style=\"font-weight: 400\">Password<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">Something you have<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">(Possession factors)<\/span><\/td>\n<td>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">EMV Bank Card with a chip<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Mobile Phone push notification<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">Something you are<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">(Inherence factors)<\/span><\/td>\n<td>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Facial Identification<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Fingerprint<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">Somewhere you are<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">(Location factors)<\/span><\/td>\n<td>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">GPS location<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">IP Address<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">When you act<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">(Time factors)<\/span><\/td>\n<td>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">ATM daily withdrawal limits<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Temporary passcodes that auto-expire<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span style=\"font-weight: 400\">Why is MFA important ?\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Multi-factor authentication (MFA) is important to protect your confidential information from getting accessed, which could result in trade secrets being stolen, service outages, lost revenue, breach of trust with your customers which might result in regulatory fines and penalties.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">This higher level of security is required for many recognised security standards such as the payment card industry, PCI-DSS and NIST 800-171 which is used to protect Controlled Unclassified Information (CUI) at US government defence contractors.\u00a0 MFA is actually more important than the strength of your password in securing your account, and in fact <\/span><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-active-directory-identity\/your-pa-word-doesn-t-matter\/ba-p\/731984\"><span style=\"font-weight: 400\">Microsoft researchers<\/span><\/a><span style=\"font-weight: 400\">\u00a0 have reported that an account is only 0.01% as likely to be compromised if it is using MFA vs using just a password alone !<\/span><\/p>\n<h2><span style=\"font-weight: 400\">How does MFA provide additional security ?\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Multi-factor authentication (MFA) creates some additional roadblocks to hackers when they attempt to infiltrate your account. Just creating roadblocks will cause a hacker to move onto the next account, unless you are a high value target. Sometimes an organization will require MFA only for higher risk activities, taking into account a balance of risk and convenience. For example a bank might allow a customer to login to their online banking app using a username and password but require the customer to use biometric authentication such as a fingerprint to additionally authenticate each time the customer tries to transfer money. \u00a0 Let\u2019s look at some common attacks and how MFA prevents them.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Credential_stuffing\">Credential Stuffing<\/a> &#8211; the most common online attack that hackers use is to reuse usernames and passwords leaked in previous attacks, which are readily traded online by criminals. What they are looking for is to see if you\u2019ve used the same username \/ password combination across multiple systems.\u00a0 MFA systems protect against this as the other factors are usually not static and a leaked password alone isn\u2019t enough to gain access to your account.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_leak\">Password Leak<\/a> &#8211; Imagine you are about to login to your Couchbase administrator console and type in your password, then hit return.\u00a0 Only then you realize that you accidentally just typed that into your slack window and provided your password to a public room full of people.\u00a0 With MFA, you are still secure as the password alone isn\u2019t enough to compromise your account.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Malware\">Malware<\/a> \/ <a href=\"https:\/\/en.wikipedia.org\/wiki\/Keystroke_logging\">Keystroke Logging<\/a> &#8211; an attacker who has managed to load malicious software onto your system can monitor your keypresses and steal your password, but without the MFA which is usually on a separate device such as a mobile phone.\u00a0 This code is always changing so they are unable to utilize the stolen credentials.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Brute-force_attack\">Brute Force<\/a> &#8211;\u00a0 this where an attacker will systematically try every combination of username and password, usually relying on dictionaries of commonly used passwords as a first pass.\u00a0 The use of dynamically changing time limited pass-codes, which MFA can provide, makes this attack exponentially more difficult as the time window in which to correctly guess both your password and the dynamic MFA code is tiny.\u00a0 Additionally, intrusion detection systems (IDS) can spot this unusual behaviour and prevent these types of attacks.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400\">When should you use MFA ?\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Hackers will use every bit of information they can get their hands on to target a victim.\u00a0 Many times they\u2019ll figure out how to use this information in novel ways that you may never have thought of as being a risk.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The easiest way to secure yourself is to always use MFA when it is presented as an option.\u00a0 This encourages good security hygiene and protects you even if you don\u2019t think a particular platform requires higher levels of security.\u00a0\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Implementing different types of multi-factor authentication with Couchbase Server<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Common MFA schemes come in several forms, each providing varying levels of security.\u00a0 Let\u2019s look at each method from least secure to most secure.\u00a0 And let&#8217;s see how we can implement some of the strongest authentication security with Couchbase Server.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Well respected security researcher Troy Hunt calls this order the <\/span><a href=\"https:\/\/www.troyhunt.com\/beyond-passwords-2fa-u2f-and-google-advanced-protection\/\"><span style=\"font-weight: 400\">Hierarchy of Auth<\/span><\/a><span style=\"font-weight: 400\">.<\/span><\/p>\n<table style=\"height: 362px\" width=\"683\">\n<tbody>\n<tr>\n<td><span style=\"font-weight: 400\">Password<\/span><\/td>\n<td>Meh<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">Password + SMS<\/span><\/td>\n<td>Okay<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">Password + Software Token<\/span><\/td>\n<td>Better<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">Password + Hardware Token<\/span><\/td>\n<td>Great<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400\">Password + Universal 2nd Factor (U2F)<\/span><\/td>\n<td>Uber<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span style=\"font-weight: 400\">Password<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Password auth is the most basic form of authentication and when used alone it is what is referred to as a Single Factor authentication.\u00a0 Passwords are required for every user that you create in Couchbase Server, and they can be <a href=\"https:\/\/docs.couchbase.com\/server\/current\/rest-api\/rest-set-password-policy.html\">configured to specific password policies<\/a>.\u00a0 Using a strong password, even with MFA in use, is essential.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">This password is normally static, so if it is misplaced or stolen, you are at risk that someone will login to your account and potentially steal your data. You can utilize tools such as the <a href=\"https:\/\/www.hashicorp.com\/blog\/announcing-the-couchbase-secrets-engine\">Hashicorp Vault Couchbase integration<\/a>\u00a0to generate temporary accounts and passwords that are short-lived and are automatically removed,<\/span><span style=\"font-weight: 400\">\u00a0these are at less risk if they are accidentally exposed.\u00a0Using x.509 certificates for user authentication is more secure than passwords, but they cannot be used to login to the UI.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Password + SMS<\/span><\/h2>\n<p><span style=\"font-weight: 400\">The lowest level of MFA security is to combine a login password with a unique One Time Password (OTP) that arrives to your mobile device over SMS. Unfortunately there\u2019s several well known security holes with using SMS based security.\u00a0 One of the most known risks that frequently gets mentioned in the press is something known as a SIM Swap Scam.\u00a0 This is where an attacker, usually through social engineering techniques, convinces your mobile phone carrier to change your phone number over to a new sim card in which they control.\u00a0 Then the attacker receives any future SMS to their device, including your MFA One Time Passwords.\u00a0 Recently an organized criminal gang, <\/span><a href=\"https:\/\/www.europol.europa.eu\/newsroom\/news\/ten-hackers-arrested-for-string-of-sim-swapping-attacks-against-celebrities\"><span style=\"font-weight: 400\">dismantled by authorities<\/span><\/a><span style=\"font-weight: 400\">, were able to steal over $100 million USD from victims using this scam.\u00a0 There are also other methods to eavesdrop on mobile phone communication such as <a href=\"https:\/\/en.wikipedia.org\/wiki\/IMSI-catcher\">IMSI catchers<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Signalling_System_No._7\">SS7 protocol<\/a> security vulnerabilities.<\/span><\/p>\n<div id=\"attachment_10762\" style=\"width: 778px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-CellTower.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10762\" class=\"wp-image-10762 size-medium_large\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-CellTower-768x360.jpg\" alt=\"MFA CellTower\" width=\"768\" height=\"360\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-CellTower-768x360.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-CellTower-300x141.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-CellTower-20x9.jpg 20w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-CellTower.jpg 1023w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><p id=\"caption-attachment-10762\" class=\"wp-caption-text\">&#8220;Cell Tower Vultures&#8221; by StephenGA is marked under CC0 1.0.<\/p><\/div>\n<p><span style=\"font-weight: 400\">\u00a0The biggest risk with using SMS is if the SMS is used as a single method for account recovery in the event of a lost password, in which case the SMS becomes a single factor that is unfortunately not strongly secure.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">While Password + SMS MFA is more secure than just a password alone, it should generally be avoided so we\u2019ll skip the implementation of this method.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Password + Software Token<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Using a software token MFA should be the goal for most MFA deployments as a starting point.\u00a0 This is a combination of a password (\u201cSomething you know\u201d) with a software token (\u201cSomething you have\u201d).\u00a0 The only prerequisite required is that each of your users has a smartphone and a free app such as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Google_Authenticator\">Google Authenticator<\/a> or <a href=\"https:\/\/authy.com\/\">Authy<\/a> to generate a temporary passcode.\u00a0 \u00a0 A user will typically scan a QR code into their mobile phone application as a one-time activity when setting up their account.\u00a0 The mobile phone application will then constantly generate a new code that are time-based and only valid for a short time period such as 30 seconds.\u00a0 This MFA is known as <span style=\"font-weight: 400\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Time-based_One-Time_Password\">Time-based One-Time Password<\/a><\/span><span style=\"font-weight: 400\"> or TOTP and is what <a href=\"https:\/\/www.couchbase.com\/products\/cloud\/\">Couchbase Cloud<\/a> uses for account security.\u00a0 Alternatively, some solutions aren\u2019t based on time, and use <\/span><span style=\"font-weight: 400\">an incrementing counter with a <a href=\"https:\/\/en.wikipedia.org\/wiki\/HMAC-based_One-Time_Password\">HMAC-based One-time Password<\/a> (HOTP) instead.<\/span><\/span><\/p>\n<div id=\"attachment_10761\" style=\"width: 778px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SmartPhone2.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10761\" class=\"wp-image-10761 size-medium_large\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SmartPhone2-768x512.jpg\" alt=\"MFA SmartPhone 2\" width=\"768\" height=\"512\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SmartPhone2-768x512.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SmartPhone2-300x200.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SmartPhone2-400x267.jpg 400w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SmartPhone2-450x300.jpg 450w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SmartPhone2-20x13.jpg 20w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SmartPhone2.jpg 1024w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><p id=\"caption-attachment-10761\" class=\"wp-caption-text\">&#8220;hands-coffee-smartphone-technology&#8221; by CC\u00d8BAY is marked under CC0 1.0<\/p><\/div>\n<p><span style=\"font-weight: 400\">TOTP is easy to set up with Couchbase Server using external authentication.\u00a0 Using external authentication means we can set up our authentication system once and reuse it across multiple Couchbase clusters.\u00a0 We\u2019ll use <a href=\"https:\/\/docs.couchbase.com\/server\/current\/manage\/manage-security\/configure-ldap.html\">LDAP<\/a> to make TOTP MFA mandatory in addition to the user providing their password.\u00a0 Before we get started, first install the TOTP MFA mobile application of your choice onto your smartphone. Again, Google Authenticator and Authy are great choices.<\/span><\/p>\n<p><span style=\"font-weight: 400\">I\u2019ll give an easy example using a simple Go-lang LDAP Authentication Server (<\/span><a href=\"https:\/\/github.com\/glauth\/glauth\"><span style=\"font-weight: 400\">GLAuth<\/span><\/a><span style=\"font-weight: 400\">).\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">I will be using <a href=\"https:\/\/www.couchbase.com\/blog\/introducing-couchbase-7-beta\/\">Couchbase Server 7.0 Beta<\/a> but the method shown here will work with any Enterprise Editions of Couchbase 6.5 and later.\u00a0 The first step is to download the pre-built package from the GLAuth <\/span><a href=\"https:\/\/github.com\/glauth\/glauth\/releases\"><span style=\"font-weight: 400\">GitHub releases page<\/span><\/a><span style=\"font-weight: 400\">, which is available across Windows, Linux and MacOS for both x86 and ARM platforms.\u00a0 I\u2019ll be using the Mac OS version, but you can adjust the binary name for your platform in the example commands.\u00a0 Also download the sample <\/span><a href=\"https:\/\/github.com\/glauth\/glauth\/blob\/master\/sample-simple.cfg\"><span style=\"font-weight: 400\">\u00a0configuration file<\/span><\/a><span style=\"font-weight: 400\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">The sample LDAP configuration includes a user who is configured for TOTP called otpuser and has a password of <\/span><b>mysecret<\/b><span style=\"font-weight: 400\">. We\u2019ll use this username and password, but we\u2019ll modify the sample configuration file to change the other secrets to new secrets of our own.<\/span><\/p>\n<p><span style=\"font-weight: 400\">I first generated a random string from the MacOS or Linux shell, but you can use any tool you like that generates a 32 character base32 string.\u00a0 This will be the <strong>otpsecret<\/strong>.<\/span><br \/>\n<code>$ LC_ALL=C tr -dc 'A-Z2-7' &lt;\/dev\/urandom | head -c 32; echo<br \/>\nRHRHQ7AC2X4UYZ2WQQ4LHZUCGDQXXQTG<\/code><br \/>\n<span style=\"font-weight: 400\">Now generate a couple more 16 character random strings, these will be used as backup codes to login in-case the user loses their mobile device or needs to programmatically connect to Couchbase Server and bypass the MFA.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">For each backup code we also need the <a href=\"https:\/\/en.wikipedia.org\/wiki\/SHA-2\">sha-256 hash<\/a>,\u00a0<\/span><\/p>\n<pre>$ echo -n \"WBMVOM6F4YAQPDBV\" | openssl dgst -sha256\r\n33e34cbeebce316c6539cd473fb22ea9a69a43059ff18bd801842af1d6c2ea0e\r\n\r\n$ echo -n \"35VD4NGLB3FD6NK5\" | openssl dgst -sha256\r\n38fd1f0065973fdebae168897e7b587e01b8ec3c996bb808b9af89acb1001760<\/pre>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400\">We\u2019ll modify the ldap configuration file to change the <strong>otpsecret<\/strong> line and include these SHA256 backup codes with a new line in the configuration starting with passappsha256.<\/span><\/p>\n<pre class=\"\">[[users]]\r\n \u00a0name = \"otpuser\"\r\n \u00a0unixid = 5004\r\n \u00a0primarygroup = 5501\r\n \u00a0passsha256 = \"652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0\" # mysecret\r\n \u00a0otpsecret = \"RHRHQ7AC2X4UYZ2WQQ4LHZUCGDQXXQTG\"\r\n \u00a0passappsha256 = [\r\n \u00a0\u00a0\u00a0\"33e34cbeebce316c6539cd473fb22ea9a69a43059ff18bd801842af1d6c2ea0e\", # WBMVOM6F4YAQPDBV\r\n \u00a0\u00a0\u00a0\"38fd1f0065973fdebae168897e7b587e01b8ec3c996bb808b9af89acb1001760\", # 35VD4NGLB3FD6NK5\r\n \u00a0]\r\n\u00a0\u00a0yubikey = \"vvjrcfalhlaa\"<\/pre>\n<p><span style=\"font-weight: 400\">These backup pass-codes must be kept in a safe place, ideally offline.\u00a0<\/span><span style=\"font-weight: 400\">And you wouldn\u2019t want to have plain-text comments in your configuration file which expose passwords like I\u2019ve shown here for demonstration purposes.<\/span><\/p>\n<p><span style=\"font-weight: 400\">I will also disable TLS\/SSL for this demo, you will want to enable this in a production environment though !<br \/>\n<\/span><span style=\"font-weight: 400\">Change the [ldaps] section to change enabled to false,\u00a0<\/span><\/p>\n<pre class=\"\">[ldaps]\r\n\u00a0\u00a0enabled = false<\/pre>\n<p><span style=\"font-weight: 400\">Next we\u2019ll generate a QR code for our phone application,<br \/>\n<\/span><span style=\"font-weight: 400\">Visit <\/span><a href=\"https:\/\/freeotp.github.io\/qrcode.html\"><span style=\"font-weight: 400\">https:\/\/freeotp.github.io\/qrcode.html<\/span><\/a><span style=\"font-weight: 400\">\u00a0<\/span><\/p>\n<div id=\"attachment_10749\" style=\"width: 910px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-QR.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10749\" class=\"wp-image-10749 size-large\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-QR-1024x782.png\" alt=\"MFA QR Code\" width=\"900\" height=\"687\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-QR-1024x782.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-QR-300x229.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-QR-768x586.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-QR-20x15.png 20w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-QR.png 1226w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><p id=\"caption-attachment-10749\" class=\"wp-caption-text\">MFA QR Code from FreeOTP<\/p><\/div>\n<p><span style=\"font-weight: 400\">Change the type from <strong>Counter<\/strong> to <strong>Timeout<\/strong><\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">We\u2019ll call the account name Couchbase Cluster otpuser<br \/>\n<\/span><span style=\"font-weight: 400\">And use our generated <strong>otpsecret<\/strong> string for the secret.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Now I scan this QR code with my mobile phone app, and it has started generating temporary passwords.\u00a0<\/span><\/p>\n<div id=\"attachment_10752\" style=\"width: 262px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-TOTP.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10752\" class=\"wp-image-10752 size-medium\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-TOTP-252x300.png\" alt=\"MFA TOTP App\" width=\"252\" height=\"300\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-TOTP-252x300.png 252w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-TOTP-300x357.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-TOTP-17x20.png 17w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-TOTP.png 618w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\" \/><\/a><p id=\"caption-attachment-10752\" class=\"wp-caption-text\">MFA TOTP App Output<\/p><\/div>\n<p><span style=\"font-weight: 400\">I will then startup my LDAP server with the configuration file.\u00a0<\/span><\/p>\n<pre>.\/glauthOSX -c sample-simple.cfg<\/pre>\n<p><span style=\"font-weight: 400\">Now I will configure my Couchbase Cluster to connect to the LDAP Server, under the security settings of the UI.\u00a0<\/span><\/p>\n<div id=\"attachment_10753\" style=\"width: 778px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-LDAP-Settings.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10753\" class=\"size-medium_large wp-image-10753\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-LDAP-Settings-768x657.png\" alt=\"MFA LDAP Settings\" width=\"768\" height=\"657\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings-768x657.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings-300x257.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings-20x17.png 20w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings.png 916w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><p id=\"caption-attachment-10753\" class=\"wp-caption-text\">MFA &#8211; LDAP Settings in Couchbase Server<\/p><\/div>\n<p><span style=\"font-weight: 400\">The LDAP Host is the hostname or IP where the LDAP server is running and the Port is 3893.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">I will configure my cluster to connect to the LDAP server with credentials.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Bind DN = cn=serviceuser,ou=svcaccts,dc=glauth,dc=com<br \/>\n<\/span><span style=\"font-weight: 400\">Password = mysecret<\/span><\/p>\n<p>Click &#8220;Check Network Settings&#8221; to test the connectivity to the LDAP server.<\/p>\n<p><span style=\"font-weight: 400\">Now I will enable LDAP User authentication and test my otpuser account.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Template is cn=%u,ou=superheros,dc=glauth,dc=com<\/span><\/p>\n<p><span style=\"font-weight: 400\">The username to test with is otpuser<\/span><\/p>\n<p><span style=\"font-weight: 400\">And the password is <strong>mysecret<\/strong>XXXXXX\u00a0 and where XXXXXX is the 6 digit OTP from your mobile app.<\/span><\/p>\n<div id=\"attachment_10754\" style=\"width: 778px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-LDAP-Settings2.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10754\" class=\"wp-image-10754 size-medium_large\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-LDAP-Settings2-768x584.png\" alt=\"Additional MFA LDAP Settings\" width=\"768\" height=\"584\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings2-768x584.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings2-300x228.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings2-20x15.png 20w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-LDAP-Settings2.png 926w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><p id=\"caption-attachment-10754\" class=\"wp-caption-text\">MFA LDAP Settings User Auth<\/p><\/div>\n<p><span style=\"font-weight: 400\">If that is working and returns a positive result when you test it, then save your LDAP configuration.\u00a0 If you need more information, please review the documentation on <a href=\"https:\/\/docs.couchbase.com\/server\/current\/manage\/manage-security\/configure-ldap.html#configure-ldap-with-the-ui\">configuring LDAP with Couchbase Server<\/a>.\u00a0 \u00a0You can now add the user otpuser to your Couchbase Cluster as an external user and provide the user some RBAC credentials.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Congratulations, when you login with this user, you will need to provide your OTP MFA appended to the end of the \u2018<strong>mysecret<\/strong>\u2019 password each time. \u00a0 Alternatively you can login with the username otpuser and one of the backup pass-codes such as WBMVOM6F4YAQPDBV which will bypass the MFA requirement.<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">You can repeat the steps to add several more users to your Couchbase cluster.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400\">Password + Hardware Token<\/span><\/h2>\n<p><span style=\"font-weight: 400\">The next step up in security is to use a hardware token instead of a mobile app software token.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">This technique is generally more secure than a software token as it is offline and even more difficult for a hacker to acquire.\u00a0 Other security benefits are that the temporary password length is longer and it helps avoid some misconfigurations that can make software tokens less secure.\u00a0 The hardware token devices also keep the underlying cryptographic secrets inside their hardware without any interfaces to access them directly, so it\u2019s extremely difficult to accidentally leak this information.\u00a0 The downside is that each user will need to acquire a physical token to generate their pass-codes.<\/span><\/p>\n<p><span style=\"font-weight: 400\">These hardware tokens come in a few different forms.\u00a0<\/span><\/p>\n<div id=\"attachment_10755\" style=\"width: 778px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SecurityTokens1.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10755\" class=\"wp-image-10755 size-medium_large\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SecurityTokens1-768x509.jpg\" alt=\"MFA Security Tokens 1\" width=\"768\" height=\"509\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens1-768x509.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens1-300x199.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens1-20x13.jpg 20w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens1.jpg 800w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><p id=\"caption-attachment-10755\" class=\"wp-caption-text\">&#8220;RSA Tokens&#8221; by EdwinMSarmiento is licensed with CC BY-SA 2.0.<\/p><\/div>\n<div id=\"attachment_10756\" style=\"width: 778px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SecurityTokens2.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10756\" class=\"size-medium_large wp-image-10756\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SecurityTokens2-768x523.jpg\" alt=\"MFA Security Tokens 2\" width=\"768\" height=\"523\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens2-768x523.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens2-300x204.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens2-235x160.jpg 235w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens2-20x14.jpg 20w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-SecurityTokens2.jpg 800w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><p id=\"caption-attachment-10756\" class=\"wp-caption-text\">&#8220;Hardware Authentication Security Keys (Yubico Yubikey 4 and Feitian MultiPass FIDO)&#8221; by Tony Webster is licensed with CC BY 2.0.<\/p><\/div>\n<p><span style=\"font-weight: 400\">The first photo is showing devices which have a small LCD screen and will require an internal battery.\u00a0 They require a user to type a short pass-code that is presented on the screen, into their application.\u00a0 The pass-code on the screen is ever changing, similar to the software based token earlier.\u00a0 The most common version of this type of device is the <a href=\"https:\/\/en.wikipedia.org\/wiki\/RSA_SecurID\">RSA SecureID token<\/a>.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">The second photo is showing newer style hardware tokens which connect into a host machine or mobile phone via USB, Bluetooth or NFC.\u00a0 These devices act like a keyboard and directly send the one-time password when they are physically present and a button is pressed, but often do not require an internal battery.\u00a0 The OTP is typically a long string of random characters, making them very secure.\u00a0 The most common version of this type of hardware token is a <a href=\"https:\/\/www.yubico.com\/products\/\">Yubikey<\/a> from Yubico.\u00a0 <\/span><\/p>\n<p><span style=\"font-weight: 400\">Let\u2019s look at how to use a Yubikey 5 NFC as a hardware token OTP MFA. Currently as of Feb 2021 these cost around $45 in the US, \u20ac45 in the EU and \u00a345 in the UK each, but the same token can safely be used for a wide variety of applications.<\/span><\/p>\n<p><span style=\"font-weight: 400\">We\u2019ll use the earlier software token MFA setup as a starting point, re-using the same LDAP system and adding additional configurations.\u00a0 Again, the technique shown here will work with Couchbase Server versions 6.5.0 and later.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The first step is to go to\u00a0 <a href=\"https:\/\/upgrade.yubico.com\/getapikey\/\">https:\/\/upgrade.yubico.com\/getapikey\/<\/a>\u00a0 to generate a shared symmetric key for use with the Yubico Web Services.\u00a0 This will generate a Client ID and Secret Key which we will provide to the LDAP server.\u00a0 The web form will request an email address and a OTP.\u00a0 I just inserted my yubikey into the USB and pressed the button while the OTP field of the web-form had focus, letting the device act like a keyboard and type in the passcode.\u00a0 The first 12 characters that are generated are your yubikey\u2019s unique id, save these as well as the generated yubico <strong>clientid<\/strong> and <strong>secret<\/strong> for later.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Next, modify the LDAP configuration file,\u00a0 uncommenting the lines that start with \u201cyubikeyclientid\u201d and \u201cyubikeysecret\u201d, changing the values to the <strong>clientdid<\/strong> and <strong>secret<\/strong> provided by Yubico.<\/span><\/p>\n<pre>yubikeyclientid = \"12345\"\r\nyubikeysecret = \"xxxxxxxxxxxxxxxxxxxxxxxxxx\"<\/pre>\n<p><span style=\"font-weight: 400\">Then add the unique yubikey id to the otpuser\u2019s configuration in the LDAP config file.\u00a0 Remembering that this is the first 12 characters generated when the yubikey button is pressed. <\/span><\/p>\n<pre class=\"\">[[users]]\r\n \u00a0name = \"otpuser\"\r\n \u00a0unixid = 5004\r\n \u00a0primarygroup = 5501\r\n \u00a0passsha256 = \"652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0\" # mysecret\r\n \u00a0otpsecret = \"RHRHQ7AC2X4UYZ2WQQ4LHZUCGDQXXQTG\"\r\n \u00a0passappsha256 = [\r\n\u00a0\u00a0\u00a0\"33e34cbeebce316c6539cd473fb22ea9a69a43059ff18bd801842af1d6c2ea0e\", # WBMVOM6F4YAQPDBV\r\n \u00a0\u00a0\"38fd1f0065973fdebae168897e7b587e01b8ec3c996bb808b9af89acb1001760\", # 35VD4NGLB3FD6NK5\r\n \u00a0]\r\n\u00a0\u00a0yubikey = \"ccccxxxxxxxx\"<\/pre>\n<p><span style=\"font-weight: 400\">Now stop and restart the LDAP server if it was already running, otherwise just start it up.<\/span><\/p>\n<pre>.\/glauthOSX -c sample-simple.cfg<\/pre>\n<p><span style=\"font-weight: 400\">Now you can login to the Couchbase cluster as the otpuser.\u00a0 You will just need to input the password \u201c<strong>mysecret<\/strong>\u201d then while the password field is still active press the button on the yubikey with it inserted into the USB interface.\u00a0 The yubikey will provide a very long and secure OTP appended to the end of the password \u201c<strong>mysecret<\/strong>\u201d.\u00a0 Once you are logged in, you can remove the yubikey from your device.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Password + Universal 2nd Factor (U2F)<\/span><\/h2>\n<p><span style=\"font-weight: 400\">The final and most secure method of MFA we\u2019ll look at is Universal 2nd Factor, known as U2F.\u00a0 The U2F MFA model has all the benefits of the hardware token in the previous example, but one key difference is it is also protected against phishing, where an attacker tricks you into providing the one-time password, usually by creating a fake website that mimics the original one.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">U2F was created as an open standard by Google and Yubico to provide strong protections against phishing, session hijacking, man-in-the-middle, and malware attacks.\u00a0 It achieves this by having your browser directly interact with the device over USB or NFC interfaces in a 2 way communication when the physical button is pressed on the key. This secure communication is using asymmetric cryptography with public-key authentication.\u00a0 The key pair created by the U2F device during registration is origin specific.\u00a0 This embeds a combination of protocol, hostname and port into the key pair. This means, if a phishing site attempts to trick you and isn\u2019t from the same origin, the U2F key will instantly spot the mismatch and the attempt will be thwarted.\u00a0 The U2F standard is now managed by the FIDO alliance.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Let\u2019s see how to set up U2F MFA with Couchbase Server.\u00a0 We could set this up using the same Yubikey 5 NFC from the previous examples, but this time I want to show you that cheaper options are also available.\u00a0 I picked up a HyperFIDO PRO U2F mini USB key online for only \u00a38, here\u2019s a photo of a similar device from Key-ID.\u00a0\u00a0\u00a0<\/span><\/p>\n<div id=\"attachment_10757\" style=\"width: 230px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SecurityTokens3.gif\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10757\" class=\"size-full wp-image-10757\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2021\/02\/MFA-SecurityTokens3.gif\" alt=\"MFA Security Tokens 3\" width=\"220\" height=\"100\" \/><\/a><p id=\"caption-attachment-10757\" class=\"wp-caption-text\">\u00a9 User:Mayopuk \/ Wikimedia Commons \/ CC-BY-SA-3.0<\/p><\/div>\n<p><span style=\"font-weight: 400\">Also this time, instead of using LDAP, we\u2019ll use the Linux Pluggable Authentication Module (PAM) method of externally authenticating users, just to show how a different external authentication source can work. \u00a0 I\u2019m going to do this with the Couchbase Server 7.0 Beta and Ubuntu 18, but the same steps will work on all currently supported versions of Couchbase Server Enterprise Edition and all supported Linux distributions.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The first step is to follow the steps in the Couchbase Server <a href=\"https:\/\/docs.couchbase.com\/server\/current\/manage\/manage-security\/configure-pam.html\">documentation on setting up a PAM authenticated user<\/a>.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Ensure \/etc\/default\/saslauthd has START=yes<\/span><\/p>\n<p><span style=\"font-weight: 400\">And modify \/etc\/default\/saslauthd adding \u201c -t 10\u201d to the options string, to add a 10 sec timeout.\u00a0 <\/span><span style=\"font-weight: 400\">For example,\u00a0<\/span><\/p>\n<pre>OPTIONS=\"-c -m \/var\/run\/saslauthd -t 10\"<\/pre>\n<p><span style=\"font-weight: 400\">Also make sure your \/etc\/pam.d\/couchbase file looks like this<\/span><\/p>\n<pre class=\"\">@include common-auth\r\n@include common-password\r\n#auth\u00a0 \u00a0 required \u00a0 pam_u2f.so authfile=\/etc\/u2f_keys cue<\/pre>\n<p><span style=\"font-weight: 400\">After following the steps on configuring PAM you should have a user called \u201clinuxuser\u201d which is defined in your operating system and in the Couchbase Server cluster.\u00a0 Using the same host in your cluster where you configured PAM, you should be able to login to the cluster\u2019s UI with the username and password.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Next install the U2F PAM module, on ubuntu it\u2019s as easy as this:<\/span><\/p>\n<pre>sudo apt-get install libpam-u2f<\/pre>\n<p><span style=\"font-weight: 400\">Next plug in your U2F device to the USB if it isn\u2019t already.\u00a0 And make sure that the system running Couchbase Server can see it at an OS level. In my case I have Couchbase Server running on a Ubuntu Linux VM which is running on my mac, so I have to configure my virtualization software to allow the USB device to directly attach to the VM.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Running <strong>lsusb<\/strong> I can see the USB U2F key from my Linux OS.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Next we need to perform a one-time U2F registration operation and store the output for the pam module to use.\u00a0 It will tie the linuxuser to a specific U2F key and on a specific hostname.\u00a0<\/span><br \/>\n<code>sudo pamu2fcfg --username=linuxuser &gt; \/tmp\/u2f_keys<br \/>\nEnter PIN for \/dev\/hidraw1: xxxxxxxx<\/code><br \/>\n<span style=\"font-weight: 400\">My U2F device is flashing the light until I press the button, a<\/span><span style=\"font-weight: 400\">nd actually my device also requires a PIN code, so it is yet another MFA factor.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Next change the file permissions, ownership and location. <\/span><\/p>\n<pre class=\"\">$ chmod 600 \/tmp\/u2f_keys\r\n$ sudo chown root:root \/tmp\/u2f_keys\r\n$ sudo mv \/tmp\/u2f_keys \/etc\/u2f_keys<\/pre>\n<p><span style=\"font-weight: 400\">Now uncomment the last line in the \/etc\/pam.d\/couchbase file, s<\/span><span style=\"font-weight: 400\">o it looks like this.<\/span><\/p>\n<pre class=\"\">@include common-auth\r\n@include common-password\r\nauth\u00a0 \u00a0 required \u00a0 pam_u2f.so authfile=\/etc\/u2f_keys cue<\/pre>\n<p><span style=\"font-weight: 400\">And restart saslauthd\u00a0<\/span><\/p>\n<pre>sudo service saslauthd restart<\/pre>\n<p><span style=\"font-weight: 400\">Now when you login to your cluster as the linuxuser account in the Couchbase cluster UI, it will wait for the U2F device\u2019s button to be pressed.\u00a0 Mine has a light that flashes to indicate it is active and waiting.\u00a0 After I press this, instantly the U2F keys are exchanged and verified, I am authenticated and can remove the USB device.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Bonus: Password-less Authentication !\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400\">If you wanted to try out passwordless authentication, you can now easily do this.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Obviously this is less secure than using a U2F + password, but it is great for a development Couchbase cluster where you do not store sensitive data and is running locally or firewalled to allow only your IP address to connect.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">In your pam configuration file, from the previous example, comment out the first 2 lines and only leave the U2F requirement,\u00a0 so your configuration looks like this.<\/span><\/p>\n<pre class=\"\">#@include common-auth\r\n#@include common-password\r\nauth\u00a0 \u00a0 required \u00a0 pam_u2f.so authfile=\/etc\/u2f_keys cue<\/pre>\n<p><span style=\"font-weight: 400\">Next restart saslauthd\u00a0<\/span><\/p>\n<pre>sudo service saslauthd restart<\/pre>\n<p><span style=\"font-weight: 400\">Now you can login to the Couchbase Server UI with the linuxuser account by providing the username, any random string in the password field, even just a single character.\u00a0 Then press on the U2F button when prompted. \u00a0 Passwordless authentication !<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Conclusion<\/span><\/h2>\n<p><span style=\"font-weight: 400\">In this article I\u2019ve shown you what Multi-Factor Authentication is, why you should use it and several ways to implement it with Couchbase Server.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">If security is important to you, I recommend reading a few additional blog posts about our various features that help keep your Couchbase data protected.\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"><a href=\"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/\">At-rest data security with LUKS encryption<\/a><\/span><\/li>\n<li><a href=\"https:\/\/www.couchbase.com\/blog\/managing-ldap-groups-for-external-users-in-6-5\/\">Managing LDAP groups for external users in 6.5<\/a><\/li>\n<li><a href=\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\">Authentication and Authorization with RBAC<\/a><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">And I\u2019ll also share with you some of my favourite sites to keep on top of security topics in general,\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400\"><a href=\"https:\/\/www.schneier.com\/\">https:\/\/www.schneier.com\/<\/a><\/span><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/\">https:\/\/www.bleepingcomputer.com\/<\/a><\/li>\n<li><a href=\"https:\/\/googleprojectzero.blogspot.com\/\">https:\/\/googleprojectzero.blogspot.com\/<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/\">https:\/\/krebsonsecurity.com\/<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In this article I will explain what multi-factor authentication is, why you should be using it and how to easily implement it with Couchbase Server.\u00a0 We\u2019ll look at using both software and hardware implementations, which offer a tradeoff between cost, [&hellip;]<\/p>\n","protected":false},"author":1864,"featured_media":10763,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1815,1816,1813],"tags":[1455],"ppma_author":[8928],"class_list":["post-10748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-best-practices-and-tutorials","category-couchbase-server","category-security","tag-authentication"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.0 (Yoast SEO v26.0) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Deep Dive on Multi-Factor Authentication - The Couchbase Blog<\/title>\n<meta name=\"description\" content=\"What is multi-factor authentication ? Why you should be using it and how to easily implement it with Couchbase Server.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Deep Dive on Multi-Factor Authentication\" \/>\n<meta property=\"og:description\" content=\"What is multi-factor authentication ? Why you should be using it and how to easily implement it with Couchbase Server.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-23T09:45:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-14T02:27:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ian McCloy, Director Product Management\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ian McCloy, Director Product Management\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/\"},\"author\":{\"name\":\"Ian McCloy, Director Product Management, Couchbase\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/7e8c834bce5128ad6cd764cd1c4cea19\"},\"headline\":\"Deep Dive on Multi-Factor Authentication\",\"datePublished\":\"2021-02-23T09:45:12+00:00\",\"dateModified\":\"2025-06-14T02:27:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/\"},\"wordCount\":3979,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg\",\"keywords\":[\"authentication\"],\"articleSection\":[\"Best Practices and Tutorials\",\"Couchbase Server\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/\",\"name\":\"Deep Dive on Multi-Factor Authentication - The Couchbase Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg\",\"datePublished\":\"2021-02-23T09:45:12+00:00\",\"dateModified\":\"2025-06-14T02:27:57+00:00\",\"description\":\"What is multi-factor authentication ? Why you should be using it and how to easily implement it with Couchbase Server.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg\",\"width\":1200,\"height\":800,\"caption\":\"\\\"binary damage code\\\" by Markus Spiske, Public Domain Image\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.couchbase.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Deep Dive on Multi-Factor Authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"width\":218,\"height\":34,\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/7e8c834bce5128ad6cd764cd1c4cea19\",\"name\":\"Ian McCloy, Director Product Management, Couchbase\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/97dd714a3242521ce9dcea0d96550c5f\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g\",\"caption\":\"Ian McCloy, Director Product Management, Couchbase\"},\"description\":\"Ian McCloy is the Director of the Platform and Security Product Management Group for Couchbase and lives in the United Kingdom. His dedicated team is responsible for the Reliability, Availability, Serviceability and Security architecture of Couchbase Server and the SaaS Database, Capella. This team also own cloud-native platforms like the Couchbase Kubernetes Autonomous Operator. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has led global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design. https:\/\/www.linkedin.com\/in\/ianmccloy\/\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/ianmccloy\/\"],\"url\":\"https:\/\/www.couchbase.com\/blog\/author\/ian-mccloycouchbase-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Deep Dive on Multi-Factor Authentication - The Couchbase Blog","description":"What is multi-factor authentication ? Why you should be using it and how to easily implement it with Couchbase Server.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/","og_locale":"en_US","og_type":"article","og_title":"Deep Dive on Multi-Factor Authentication","og_description":"What is multi-factor authentication ? Why you should be using it and how to easily implement it with Couchbase Server.","og_url":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/","og_site_name":"The Couchbase Blog","article_published_time":"2021-02-23T09:45:12+00:00","article_modified_time":"2025-06-14T02:27:57+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg","type":"image\/jpeg"}],"author":"Ian McCloy, Director Product Management","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ian McCloy, Director Product Management","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/"},"author":{"name":"Ian McCloy, Director Product Management, Couchbase","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/7e8c834bce5128ad6cd764cd1c4cea19"},"headline":"Deep Dive on Multi-Factor Authentication","datePublished":"2021-02-23T09:45:12+00:00","dateModified":"2025-06-14T02:27:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/"},"wordCount":3979,"commentCount":0,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg","keywords":["authentication"],"articleSection":["Best Practices and Tutorials","Couchbase Server","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/","url":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/","name":"Deep Dive on Multi-Factor Authentication - The Couchbase Blog","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg","datePublished":"2021-02-23T09:45:12+00:00","dateModified":"2025-06-14T02:27:57+00:00","description":"What is multi-factor authentication ? Why you should be using it and how to easily implement it with Couchbase Server.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2021\/02\/MFA-BGimage-lg.jpg","width":1200,"height":800,"caption":"\"binary damage code\" by Markus Spiske, Public Domain Image"},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/multi-factor-authentication-mfa-2fa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Deep Dive on Multi-Factor Authentication"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"The Couchbase Blog","description":"Couchbase, the NoSQL Database","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"The Couchbase Blog","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","width":218,"height":34,"caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/7e8c834bce5128ad6cd764cd1c4cea19","name":"Ian McCloy, Director Product Management, Couchbase","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/97dd714a3242521ce9dcea0d96550c5f","url":"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g","caption":"Ian McCloy, Director Product Management, Couchbase"},"description":"Ian McCloy is the Director of the Platform and Security Product Management Group for Couchbase and lives in the United Kingdom. His dedicated team is responsible for the Reliability, Availability, Serviceability and Security architecture of Couchbase Server and the SaaS Database, Capella. This team also own cloud-native platforms like the Couchbase Kubernetes Autonomous Operator. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has led global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design. https:\/\/www.linkedin.com\/in\/ianmccloy\/","sameAs":["https:\/\/www.linkedin.com\/in\/ianmccloy\/"],"url":"https:\/\/www.couchbase.com\/blog\/author\/ian-mccloycouchbase-com\/"}]}},"authors":[{"term_id":8928,"user_id":1864,"is_guest":0,"slug":"ian-mccloycouchbase-com","display_name":"Ian McCloy, Director Product Management","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g","author_category":"","last_name":"McCloy, Director Product Management","first_name":"Ian","job_title":"","user_url":"","description":"Ian McCloy is the Director of the Platform and Security Product Management Group for Couchbase and lives in the United Kingdom.  His dedicated team is responsible for the Reliability, Availability, Serviceability and Security architecture of Couchbase Server and the SaaS Database, Capella.  This team also own cloud-native platforms like the Couchbase Kubernetes Autonomous Operator.  Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has led global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design. https:\/\/www.linkedin.com\/in\/ianmccloy\/"}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/10748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/users\/1864"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/comments?post=10748"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/10748\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media\/10763"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media?parent=10748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/categories?post=10748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/tags?post=10748"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=10748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}