diff --git a/security-compatibility-with-mysql.md b/security-compatibility-with-mysql.md
index fce6496e8e1ad..365d0434b68ac 100644
--- a/security-compatibility-with-mysql.md
+++ b/security-compatibility-with-mysql.md
@@ -8,9 +8,27 @@ aliases: ['/docs/dev/security-compatibility-with-mysql/','/docs/dev/reference/se
 
 TiDB supports similar security functionality to MySQL 5.7, with the following exceptions:
 
-- Only the `mysql_native_password` password-based and certificate-based authentication is supported
-- External authentication (such as with LDAP) is not currently supported
 - Column level permissions are not supported
 - Password expiry, as well as password last-changed tracking and password lifetime are not supported [#9709](https://github.com/pingcap/tidb/issues/9709)
 - The permission attributes `max_questions`, `max_updated`, `max_connections`, `max_user_connections` are not supported
 - Password validation is not currently supported [#9741](https://github.com/pingcap/tidb/issues/9741)
+
+## Authentication plugin status
+
+TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names.
+
+You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. Support for TLS authentication is configured differently, for that see [Enable TLS between TiDB Clients and Servers](https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers).
+
+| Authentication Method    | Supported        |
+| :------------------------| :--------------- |
+| `mysql_native_password`  | Yes              |
+| `sha256_password`        | No               |
+| `caching_sha2_password`  | Yes, since 5.2.0 |
+| `auth_socket`            | No               |
+| [TLS Certificates]       | Yes              |
+| LDAP                     | No               |
+| PAM                      | No               |
+| ed25519 (MariaDB)        | No               |
+| GSSAPI (MariaDB)         | No               |
+
+[TLS Certificates]: /enable-tls-between-clients-and-servers.md
diff --git a/system-variables.md b/system-variables.md
index 40d2933076cd1..688c28bcdd672 100644
--- a/system-variables.md
+++ b/system-variables.md
@@ -128,6 +128,13 @@ mysql> SELECT * FROM t1;
 - This variable indicates the location where data is stored. This location can be a local path or point to a PD server if the data is stored on TiKV.
 - A value in the format of `ip_address:port` indicates the PD server that TiDB connects to on startup.
 
+### default_authentication_plugin
+
+- Scope: GLOBAL
+- Default value: `mysql_native_password`
+- This variable sets the authentication method that the server advertises when the server-client connection is being established. Possible values for this variable are documented in [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status)
+- Value options: `mysql_native_password` and `caching_sha2_password` (since v5.2.0). For more details, see [Authentication plugin status](/security-compatibility-with-mysql.md#authentication-plugin-status).
+
 ### ddl_slow_threshold
 
 - Scope: INSTANCE