diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md
index fce6496e8e1ad..be68e5331dd25 100644
--- a/security-compatibility-with-mysql.md
+++ b/security-compatibility-with-mysql.md
@@ -8,9 +8,25 @@ aliases: ['/docs/dev/security-compatibility-with-mysql/','/docs/dev/reference/se
 
 TiDB supports similar security functionality to MySQL 5.7, with the following exceptions:
 
-- Only the `mysql_native_password` password-based and certificate-based authentication is supported
-- External authentication (such as with LDAP) is not currently supported
 - Column level permissions are not supported
 - Password expiry, as well as password last-changed tracking and password lifetime are not supported [#9709](https://github.com/pingcap/tidb/issues/9709)
 - The permission attributes `max_questions`, `max_updated`, `max_connections`, `max_user_connections` are not supported
 - Password validation is not currently supported [#9741](https://github.com/pingcap/tidb/issues/9741)
+
+## Authentication plugin status
+
+Authentication in TiDB supports multiple authentication methods. The authentication method can be specified on a per user basis with [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These authentication methods are compatible with the authentication methods of MySQL with the same name.
+
+The default authentication method the server advertises during connection establishment can be set with the [`default_authetication_format`](/system-variables.md#default_authentication_format).
+
+| Authentication Method    | Supported        |
+| :------------------------| :--------------- |
+| `mysql_native_password`  | Yes              |
+| `sha256_password`        | No               |
+| `caching_sha2_password`  | Yes, since 5.2.0 |
+| `auth_socket`            | No               |
+| TLS Certificates         | Yes              |
+| LDAP                     | No               |
+| PAM                      | No               |
+| ed25519 (MariaDB)        | No               |
+| GSSAPI (MariaDB)         | No               |
diff --git a/system-variables.md b/system-variables.md
index ea7a58394fdaa..eeb13f77005d0 100644
--- a/system-variables.md
+++ b/system-variables.md
@@ -127,6 +127,12 @@ mysql> SELECT * FROM t1;
 - This variable indicates the location where data is stored. This location can be a local path or point to a PD server if the data is stored on TiKV.
 - A value in the format of `ip_address:port` indicates the PD server that TiDB connects to on startup.
 
+### default_authentication_plugin
+
+- Scope: GLOBAL
+- Default value: `mysql_native_password`
+- This variable sets the authentication method that the server advertises when the server-cient connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status)
+
 ### ddl_slow_threshold
 
 - Scope: INSTANCE