Since 11.6, MariaDB has a new authentication method, named parsec authentication, based in PBKDF2 authentication + (standard) ed25519 signature
This will be the default in a few version in the futur (11.9 normally)

Protocol description

documention here

authentication plugin data format :

string<32> server nonce

Client has to respond sending an empty packet to request "ext-salt".

Server respond with ext-salt.
format:

• string<1> 'P' (denotes KDF algorithm = PBKDF2)
• byte<1> iteration factor. number of iterations correspond to 1024 << iteration factor (0x0 means 1024, 0x1 means 2048, etc.)
• byte salt

Client response :

• byte<32> client nonce
• byte<64> signature

The client nonce is 32 random bytes
The signature is generated by :

• generate derived key = hash password with PBKDF2 ( sha512 digest) with iteration number and salt from ext-salt.
• generate the signature with ed25519 of an array concatenation of server nonce + client nonce with the generated derived key as private key.

Example of implementation :

• in c: mariadb-corporation/mariadb-connector-c@e7316ff#diff-45017daf081bdc8957473b29a9a5980e1e8a95be02c39cee47fd193e138f7b4c
• in java: (https://github.com/mariadb-corporation/mariadb-connector-j/blob/6ce18d50b0e85c75f2a1f1821d53e38386ccb631/src/main/java/org/mariadb/jdbc/plugin/authentication/standard/ParsecPasswordPlugin.java#L56
  )

additionally, this is one of the authentication method that can be trusted for SSL fingerprint validation