MySQL 8.0.31
Source Code Documentation
authentication_fido information


  • The server side plugin name is authentication_fido
  • The client side plugin name is authentication_fido_client
  • Account - user account (user-host combination)
  • authentication_string - Transformation of Credential ID stored in mysql.user table
  • relying party ID - Unique name assigned to server by authentication_fido plugin
  • FIDO authenticator - A hardware token device
  • Salt - 32 byte long random data
  • Registration mode - Refers to state of connection where only ALTER USER is allowed to do registration steps.

How authentication_fido works?

Plugin authentication_fido works in two phases.

  • Registration of hardware token device
  • Authentication process

Registration process: This is a 2 step process for a given user account.

  • Initiate registration step.
  • Finish registration step.

Initiate registration: –fido-register-factor mysql client option initiates registration step.

  1. Client executes ALTER USER user() nth FACTOR INITIATE REGISTRATION;
  2. Server sends a challenge comprising of 32 bytes random salt, user id, relying party ID Format of challenge is: |length encoded 32 bytes random salt|length encoded user id (user name + host name)|length encoded relying party ID|
  3. Client receives challenge and passes to authentication_fido_client plugin with option "registration_challenge" using mysql_plugin_options()
  4. FIDO authenticator prompts physical human user to perform gesture action. This message can be accessed via callback. Register a callback with option "fido_messages_callback" using mysql_plugin_options()
  5. Once physical human user gesture action (touching the token) is performed, FIDO authenticator generates a public/private key pair, a credential ID( X.509 certificate, signature) and authenticator data.
  6. Client extracts credential ID(aka challenge response) from authentication_fido_client plugin with option "registration_response" using mysql_plugin_get_option() Format of challenge response is: |length encoded authenticator data|length encoded credential ID|

Finish registration:

  1. Client executes ALTER USER user() nth FACTOR FINISH REGISTRATION SET CHALLENGE_RESPONSE AS '?'; parameter is binded to challenge response received during initiate registration step.
  2. authentication_fido plugin verifies the challenge response and responds with an OK_Packet or rejects with ERR_Packet

Authentication process: Once initial authentication methods defined for user account are successful, server initiates fido authentication process. This includes following steps:

  1. Server sends a 32 byte random salt, relying party ID, credential ID to client.
  2. Client receives it and sends to FIDO authenticator.
  3. FIDO authenticator prompts physical human user to perform gesture action.
  4. FIDO authenticator extracts the private key based on relying party ID and signs the challenge.
  5. Client sends signed challenge to server.
  6. Server side fido authentication plugin verifies the signature with the public key and responds with an OK_Packet or with ERR_Packet