diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index dbb7e6c33..012faf2ba 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -300,7 +300,7 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
 
     @mkdir('/home', 0755);
 
-    $user_pass = $user['password'];
+    $user_pass = '*'; /* integrated authentication stores passwords, set local to unreachable */
     $user_name = $user['name'];
     $user_uid = $user['uid'];
     $comment = str_replace(array(':', '!', '@'), ' ', $user['descr']);
@@ -326,7 +326,6 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
          * authentication is off.
          */
         $lock_account = 'unlock';
-        $user_pass = '*';
     }
 
     if ($user_uid == 0) {
@@ -344,11 +343,6 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
     $user_gid = $user_group == 'wheel' ? 0 : 65534;
 
     if (!$force_password) {
-        /* passwords only when integrated auth is disabled or forced */
-        if (empty($config['system']['disableintegratedauth'])) {
-            $user_pass = '*';
-        }
-
         /* read from pw db if not provided (batch mode) */
         if ($userattrs === null) {
             $fd = popen("/usr/sbin/pw usershow -n {$user_name}", 'r');
@@ -365,8 +359,7 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
         $user_op = 'useradd -m -k /usr/share/skel -o';
     } elseif (
         $userattrs[0] == $user_name &&
-        /* match only if disabled or enabled in order to detect a change */
-        ($userattrs[1] == '*' && $user_pass == '*' || $userattrs[1] != '*' && $user_pass != '*') &&
+        $userattrs[1] == '*' &&
         $userattrs[2] == $user_uid &&
         $userattrs[3] == $user_gid &&
         $userattrs[7] == $comment &&
diff --git a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
index e1d5a607f..30b87832b 100644
--- a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
+++ b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
@@ -5,18 +5,14 @@
 # auth
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
-{% if system.disableintegratedauth|default('0') == '0' %}
 auth		sufficient	pam_opnsense.so		authtok_prompt=Password:
-{% endif %}
 auth		required	pam_unix.so		no_warn try_first_pass authtok_prompt=Password:
 
 # account
 account		required	pam_nologin.so
 #account	required	pam_krb5.so
 account		required	pam_login_access.so
-{% if system.disableintegratedauth|default('0') == '0' %}
 account		sufficient	pam_opnsense.so
-{% endif %}
 account		required	pam_unix.so
 
 # session
diff --git a/src/opnsense/service/templates/OPNsense/Auth/system.pam b/src/opnsense/service/templates/OPNsense/Auth/system.pam
index 5a20861d4..38c20802b 100644
--- a/src/opnsense/service/templates/OPNsense/Auth/system.pam
+++ b/src/opnsense/service/templates/OPNsense/Auth/system.pam
@@ -5,17 +5,13 @@
 # auth
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
-{% if system.disableintegratedauth|default('0') == '0' %}
 auth		sufficient	pam_opnsense.so
-{% endif %}
 auth		required	pam_unix.so		no_warn try_first_pass nullok
 
 # account
 #account	required	pam_krb5.so
 account		required	pam_login_access.so
-{% if system.disableintegratedauth|default('0') == '0' %}
 account		sufficient	pam_opnsense.so
-{% endif %}
 account		required	pam_unix.so
 
 # session
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index 3383db701..78fdce93d 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -63,7 +63,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['httpaccesslog'] = isset($config['system']['webgui']['httpaccesslog']);
     $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
     $pconfig['usevirtualterminal'] = isset($config['system']['usevirtualterminal']);
-    $pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
     $pconfig['sudo_allow_wheel'] = $config['system']['sudo_allow_wheel'];
     $pconfig['sudo_allow_group'] = isset($config['system']['sudo_allow_group']) ? $config['system']['sudo_allow_group'] : null;
     $pconfig['user_allow_gen_token'] = isset($config['system']['user_allow_gen_token']) ? explode(",", $config['system']['user_allow_gen_token']) : [];
@@ -241,12 +240,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['usevirtualterminal']);
         }
 
-        if (!empty($pconfig['disableintegratedauth'])) {
-            $config['system']['disableintegratedauth'] = true;
-        } elseif (isset($config['system']['disableintegratedauth'])) {
-            unset($config['system']['disableintegratedauth']);
-        }
-
         if (!empty($pconfig['sudo_allow_wheel'])) {
             $config['system']['sudo_allow_wheel'] = $pconfig['sudo_allow_wheel'];
         } elseif (isset($config['system']['sudo_allow_wheel'])) {
@@ -1042,16 +1035,6 @@ $(document).ready(function() {
                   </div>
                 </td>
               </tr>
-              <tr>
-                <td></td>
-                <td>
-                  <input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?>  />
-                  <?=gettext("Disable integrated authentication"); ?>
-                  <div class="hidden" data-for="help_for_authmode">
-                    <?= gettext('When set, console login, SSH, and other system services can only use standard UNIX account authentication.') ?>
-                  </div>
-                </td>
-              </tr>
               <tr>
                 <td><a id="help_for_sudo_allow_wheel" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Sudo') ?></td>
                 <td>