Cloud Authentication
ClickHouse Cloud provides a number of ways to authenticate. This guide explains some good practices for configuring your authentication. Always check with your security team when selecting authentication methods.
Password Settings
Minimum password settings for our console and services (databases) currently comply with NIST 800-63B Authenticator Assurance Level 1:
- Minimum 12 characters
- Includes 3 of the following 4 items:
- 1 uppercase letter
- 1 lowercase letter
- 1 number
- 1 special character
Email + Password
ClickHouse Cloud allows you to authenticate with an email address and password. When using this method the best way to protect your ClickHouse account use a strong password. There are many online resources to help you devise a password you can remember. Alternatively, you can use a random password generator and store your password in a password manager for increased security.
SSO Using Google or Microsoft Social Authentication
If your company uses Google Workspace or Microsoft 365, you can leverage your current single sign-on setup within ClickHouse Cloud. To do this, simply sign up using your company email address and invite other users using their company email. The effect is that your users must login using your company's login flows, whether via your identity provider or directly through Google or Microsoft authentication, before they can authenticate into ClickHouse Cloud.
Multi-Factor Authentication
Users with email + password or social authentication can further secure their account using multi-factor authentication (MFA). To set up MFA:
- Log into console.clickhouse.cloud
- Click your initials in the upper left corner next to the ClickHouse logo
- Select Profile
- Select Security on the left
- Click Set up in the Authenticator app tile
- Use an authenticator app such as Authy, 1Password or Google Authenticator to scan the QR code
- Enter the code to confirm
- On the next screen, copy the recovery code and store it in a safe place
- Check the box next to
I have safely recorded this code
- Click Continue
Account recovery
Obtain recovery code
If you previously enrolled in MFA and either did not create or misplaced your recovery code, follow these steps to get a new recovery code:
- Go to https://console.clickhouse.cloud
- Sign in with your credentials and MFA
- Go to your profile in the upper left corner
- Click Security on the left
- Click the trash can next to your Authenticator app
- Click Remove authenticator app
- Enter your code and click Continue
- Click Set up in the Authenticator app section
- Scan the QR code and input the new code
- Copy your recovery code and store it in a safe place
- Check the box next to
I have safely recorded this code
- Click Continue
Forgot password
If you forgot your password, follow these steps for self-service recovery:
- Go to https://console.clickhouse.cloud
- Enter your email address and click Continue
- Click Forgot your password?
- Click Send password reset link
- Check your email and click Reset password from the email
- Enter your new password, confirm the password and click Update password
- Click Back to sign in
- Sign in normally with your new password
Lost MFA device or token
If you lost your MFA device or deleted your token, follow these steps to recover and create a new token:
- Go to https://console.clickhouse.cloud
- Enter your credentials and click Continue
- On the Multi-factor authentication screen click Cancel
- Click Recovery code
- Enter the code and press Continue
- Copy the new recovery code and store it somewhere safe
- Click the box next to
I have safely recorded this code
and click continue - Once signed in, go to your profile in the upper left
- Click on security in the upper left
- Click the trash can icon next to Authenticator app to remove your old authenticator
- Click Remove authenticator app
- When prompted for your Multi-factor authentication, click Cancel
- Click Recovery code
- Enter your recovery code (this is the new code generated in step 7) and click Continue
- Copy the new recovery code and store it somewhere safe - this is a fail safe in case you leave the screen during the removal process
- Click the box next to
I have safely recorded this code
and click Continue - Follow the process above to set up a new MFA factor
Lost MFA and recovery code
If you lost your MFA device AND recovery code or you lost your MFA device and never obtained a recovery code, follow these steps to request a reset:
Submit a ticket: If you are in an organization that has other administrative users, even if you are attempting to access a single user organization, ask a member of your organization assigned the Admin role to log into the organization and submit a support ticket to reset your MFA on your behalf. Once we verify the request is authenticated, we will reset your MFA and notify the Admin. Sign in as usual without MFA and go to your profile settings to enroll a new factor if you wish.
Reset via email: If you are the only user in the organization, submit a support case via email ([email protected]) using the email address associated with your account. Once we verify the request is coming from the correct email, we will reset your MFA AND password. Access your email to access the password reset link. Set up a new password then go to your profile settings to enroll a new factor if you wish.
SAML SSO
ClickHouse Cloud also supports security assertion markup language (SAML) single sign on (SSO). For more information, see SAML SSO Setup.
Database User ID + Password
Use the SHA256_hash method when creating user accounts to secure passwords.
TIP: Since users with less than administrative privileges cannot set their own password, ask the user to hash their password using a generator such as this one before providing it to the admin to setup the account. Passwords should follow the requirements listed above.
CREATE USER userName IDENTIFIED WITH sha256_hash BY 'hash';