FIDO Authentication in Percona Server for MySQL 8.0.30-22

FIDO Authentication in Percona Server for MySQL 8.0.30-22

Percona Server for MySQL 8.0.30-22 introduces a new authentication plugin, named authentication_fido. With this new plugin, it is possible to perform multi-factor authentication using hardware keys, or single-factor passwordless authentication with the same keys. This new plugin is in technical preview.

The plugin works exactly the same as the MySQL Enterprise FIDO authentication plugin, which is documented in detail in the official MySQL documentation and in the Percona Server for MySQL documentation

To try out the plugin with a compatible hardware key, first, the server-side plugin has to be installed:

Then a user has to be either created with a password or fido authentication both set:

Or an existing user has to be altered to add another factor:

After a user is added or altered, first the hardware key has to be registered using the MySQL command line:

The above command first will ask for the password, and then it asks the user to press the button or perform some other specific hardware key action.

After the hardware key is successfully registered, the same command can be used without the –fido-register-factor option to log the user in, in the same manner: first entering the password, and then pressing the button on the hardware key.

If FIDO is used as the only method of authentication. The user can create an account with the PASSWORDLESS_USER_ADMIN privilege and the CREATE USER privilege.

In this case, the INITIAL AUTHENTICATION IDENTIFIED BY clause is required in the CREATE USER statement. The server does accept the statement without the clause but the account is unusable because the user cannot connect to the server to register the device.

To revoke the hardware key from the user, the ALTER … UNREGISTER syntax can be used:

For information about other features in the plugin, see the plugin documentation.