Invoking MFA with ZDBC (or SDKs in general)

Question on ZDBC and MFA (under Posture checks). My understanding is that posture checks is within the OpenZiti SDKs (not, could not find a great link in documentation to these), therefore, could you invoke MFA via a popular 3rd party app when using zitified JDBC (i.e., not running ZDE)?

If yes, how would you go about it?

1 Like

Definitely keen to know the answer

Zitified JDBC isn’t really enough for me to have an answer. My instinct though, is “probably not”. I think trying to use MFA with ziti and JDBC will be exceptionally difficult. The challenge will be in the lifecycle if the of the connection. When you use MFA you need to be able to respond to events, show the user a dialog for digits etc.

Since you mentioned “3rd party app” that sort of UI and experience are probably not going to be under your control. Feels like it’ll be a difficult thing to accomplish. I could be wrong, but that’s my inclination.

1 Like

As a further question, is it possible to activate MFA using an OpenZiti configuration?

I was not able to find any details on how to configure the posture checks in ZAC.

Any tips?

You enable MFA for an identity “from the identity”. For example, on the latest ZDE for macOS (2.22), if MFA support is enabled (Advanced Settings/Enable MFA), a toggle appears for each identity that allows you to turn MFA on for that identity (a QR code presented that can be scanned by your TOTP application, e.g., Google Authenticator). ZDE for Windows has a similar workflow. Passing MFA is then required as a secondary authentication check before this identity can list/access any services.

MFA posture checks are additional authorization checks that can be centrally configured for services, and require MFA to be enabled and passing for an identity to access these services. These posture checks can also require MFA to be re-checked on wake, unlock, and/or after a configurable period of time.

MFA posture checks are configurable in ZAC under MANAGE IDENTITIES submenu “Posture Checks”, of type “Multi Factor”.

Awesome… just found it.

I will be giving this a work out later today :slight_smile:


Quick update… as I now have this working fine… After I installed the Google Authenticator.

When I setup the posture check, I used the MAC address specification…

my understanding is that this will restrict the use of the identity to a specific device… which is really cool

One question that was raised with a friend… is MAC address spoofing.

I don’t really know much about this… and thought to ask… if this is possible or not with a Ziti overlay network

Looking forward to your feedback

Nice! I think the posture check you want (if you want additional checking of MFA for access to specific services) is the one of type “MFA” (called “Multi Factor” in ZAC).

Yes, the MAC address check is an additional layer of security, and it is vulnerable to MAC spoofing. The Process checks are more difficult to defeat as signing footprints can be configured and checked (so an attacker replacing the executable will be defeated).

1 Like

The value of the MAC check is that it could save the day if your key and cert are compromised, but the attacker doesn’t know what to use for a valid MAC address. It’s not as strong as the other auth & policy checks and relies on some “security through obscurity” (and knowhow on the attacker’s part), but we had people request it, even knowing this limitation.

1 Like

this is super interesting… is it possible to share a few insights and techniques on how you go about this.

When configuring a Process check, in addition to the path of the executable, you can specify a SHA512 hash to verify the executable is what’s expected, or you can specify the signer’s certificate fingerprint to verify the executable was signed by the expected entity.

Here’s an example of getting the signer fingerprint on macOS using either codesign or OpenSSL:

$ codesign -d --extract-certificates /Applications/``
$ shasum -a 1 ./codesign0 # or, openssl x509 -inform DER -in codesign0 -fingerprint -sha1 -noout
013e2787748a74103d62d2cdbf77a1345517c482  ./codesign0

Right… so looking at this and other posts, its possible from the SDK but it need to be managed and configured. Today this is done via the tunneler; if I embed it in my application running on the endpoint then my application needs to handle this function, the events and dialog etc.


This is really cool… thanks so much for sharing.

As an additional angle to requiring MFA, authentication policies were recently introduced and have poor documentation and CLI support (working on this, adds list auth-policies by andrewpmartinez · Pull Request #770 · openziti/ziti · GitHub).

Authentication policies have the ability to require TOTP MFA. The default authentication policy in a ziti network does not require it, but it can be turned on. Existing clients with auth policies that require MFA TOTP will have the ability to enroll while partially authenticated (i.e. passed cert/jwt/updb auth but not TOTP MFA).

All said:

  • auth policies can require MFA TOTP during authentication (i.e. logging in)
  • clients can always decide to have MFA TOTP for authentication regardless of auth policies
  • MFA posture checks can require MFA TOTP during authorization (i.e. creating service sessions/connecting)
1 Like

I found this in the code… along with another for posture checks… so maybe MFA for ZJDBC could be possible

I don’t really understand the code though