I'm developing an enterprise web application, hosted on site and managed by the corporate IT team. I do not have remote access to the server, and the only way in is through the web interface. I'd like to install the phpMyAdmin-like Adminer (https://www.adminer.org/) so I can do database maintenance remotely.
How do I properly secure it? I don't feel comfortable just using the SQL database login, since the application contains sensitive information. I want to implement a multi-factor authentication. First logging in to the web application, then requesting a security token sent to my email, and only when I successfully provide both my password and the token, am I allowed access to Adminer, using which I will login to the database.
Update:
One way I can think of is to put the Adminer.php file out of the publicly accessible directory, and then require it in after passing authentication tests? Would that be secure enough? Of course I would make a new SQL user with very limited privileges.
Best Answer
You can create
loginandloginFormmethods in customization. This allows you to e.g. add a link to send the 2FA code to your e-mail to the login form, add another input field to insert this code there too and check it when logging. If you create this plugin then you can share it with other users at https://www.adminer.org/en/plugins/.