diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index b79b27a4a..8de8d00e7 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -202,37 +202,17 @@ function session_auth(&$Login_Error)
 
     /* Validate incoming login request */
     if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
-        $authcfg = auth_get_authserver("Local Database");
-        $authcfg_fallback = auth_get_authserver("Local Database");
-
-        if (isset($config['system']['webgui']['authmode'])) {
-            $authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
-        }
-
-        if (!empty($config['system']['webgui']['authmode_fallback'])) {
-            if ($config['system']['webgui']['authmode_fallback'] == "__NO_FALLBACK__") {
-                // no fallback
-                $authcfg_fallback = false;
-            } else {
-                $authcfg_fallback = auth_get_authserver($config['system']['webgui']['authmode_fallback']);
-            }
-        }
-
-        if ($authcfg == $authcfg_fallback) {
-            // it doesn't make sense to fallback to the same authenticator
-            $authcfg_fallback = false;
-        }
-
         // authenticate using config settings, or local if failed
-        $authenticator = get_authenticator($authcfg);
+        $authservers = !empty($config['system']['webgui']['authmode']) ?
+            explode(',', $config['system']['webgui']['authmode']) : array('Local Database');
         $is_authenticated = false;
-        if ($authenticator != null && $authenticator->authenticate($_POST['usernamefld'], $_POST['passwordfld'])) {
-            $is_authenticated = true;
-        }
-        if (!$is_authenticated && $authcfg_fallback !== false) {
-            $authenticator = get_authenticator($authcfg_fallback);
+
+        foreach ($authservers as $authserver) {
+            /* XXX careful, dereferenced below */
+            $authenticator = get_authenticator(auth_get_authserver($authserver));
             if ($authenticator != null && $authenticator->authenticate($_POST['usernamefld'], $_POST['passwordfld'])) {
                 $is_authenticated = true;
+                break;
             }
         }
 
diff --git a/src/sbin/opnsense-auth b/src/sbin/opnsense-auth
index 8d1b8ae79..38fd2ddfd 100755
--- a/src/sbin/opnsense-auth
+++ b/src/sbin/opnsense-auth
@@ -55,42 +55,31 @@ while (($char = fgetc($fp)) !== false) {
     }
 }
 
+$is_authenticated = false;
 $exit_status = -1;
+
 if (!empty($auth_data['user']) && isset($auth_data['password'])) {
-    $authcfg = auth_get_authserver("Local Database");
-    $authcfg_fallback = auth_get_authserver("Local Database");
+    $authservers = !empty($config['system']['webgui']['authmode']) ?
+        explode(',', $config['system']['webgui']['authmode']) : array('Local Database');
 
-    if (isset($config['system']['webgui']['authmode'])) {
-        $authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
-    }
-
-    if (!empty($config['system']['webgui']['authmode_fallback'])) {
-        if ($config['system']['webgui']['authmode_fallback'] == "__NO_FALLBACK__") {
-            // no fallback
-            $authcfg_fallback = false;
-        } else {
-            $authcfg_fallback = auth_get_authserver($config['system']['webgui']['authmode_fallback']);
+    foreach ($authservers as $authserver) {
+        if (authenticate_user($auth_data['user'], $auth_data['password'], auth_get_authserver($authserver))) {
+            $is_authenticated = true;
+            break;
         }
     }
 
-    if (authenticate_user($auth_data['user'], $auth_data['password'], $authcfg)) {
-        // auth OK
+    if ($is_authenticated) {
         syslog(LOG_NOTICE, "user '".$auth_data['user']."' authenticated successfully\n");
         $exit_status = 0;
-    } elseif ($authcfg != $authcfg_fallback && $authcfg_fallback !== false &&
-      authenticate_user($auth_data['user'], $auth_data['password'], $authcfg_fallback)) {
-        // auth OK, using fallback
-        syslog(LOG_NOTICE, "user '".$auth_data['user']."' authenticated successfully (using fallback)\n");
-        $exit_status = 0;
     } else {
         if (getUserEntry($auth_data['user']) === false) {
-            $exit_status = 2;
+           $exit_status = 2;
         }
+
         syslog(LOG_WARNING, "user '".$auth_data['user']."' could not authenticate.\n");
     }
 }
 
-// failed auth, return exit status -1
 closelog();
-
 exit($exit_status);
diff --git a/src/www/system_authservers.php b/src/www/system_authservers.php
index ed6c14868..59ae0b300 100644
--- a/src/www/system_authservers.php
+++ b/src/www/system_authservers.php
@@ -189,7 +189,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
           $input_errors[] = gettext("RADIUS Timeout value must be numeric and positive.");
       }
       if (empty($pconfig['name'])) {
-          $input_errors[] = gettext("A server name must be provided");
+          $input_errors[] = gettext('A server name must be provided.');
+      } elseif (strpos($pconfig['name'], ',') !== false) {
+          $input_errors[] = gettext('Invalid server name given.');
       }
 
       if (count($input_errors) == 0) {
diff --git a/src/www/system_usermanager_settings.php b/src/www/system_usermanager_settings.php
index 57110540f..86df309a2 100644
--- a/src/www/system_usermanager_settings.php
+++ b/src/www/system_usermanager_settings.php
@@ -33,8 +33,7 @@ require_once("guiconfig.inc");
 $save_and_test = false;
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig = array();
-    $pconfig['authmode_fallback'] = !empty($config['system']['webgui']['authmode_fallback']) ? $config['system']['webgui']['authmode_fallback'] : "Local Database";
-    foreach (array('session_timeout', 'authmode', 'password_policy_duration',
+    foreach (array('session_timeout', 'password_policy_duration',
                    'enable_password_policy_constraints',
                    'password_policy_complexity', 'password_policy_length') as $fieldname) {
         if (!empty($config['system']['webgui'][$fieldname])) {
@@ -43,7 +42,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $pconfig[$fieldname] = null;
         }
     }
-
+    $pconfig['authmode'] = !empty($config['system']['webgui']['authmode']) ? explode(',', $config['system']['webgui']['authmode']) : array();
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $pconfig = $_POST;
     $input_errors = array();
@@ -54,6 +53,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     if (count($input_errors) == 0) {
         $authsrv = auth_get_authserver($pconfig['authmode']);
         if (!empty($pconfig['savetest'])) {
+            # XXX this needs repairing...
             if ($authsrv['type'] == "ldap") {
                 $save_and_test = true;
             } else {
@@ -61,8 +61,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             }
         }
 
-        foreach (array('session_timeout', 'authmode', 'authmode_fallback', 'password_policy_duration',
-                       'enable_password_policy_constraints',
+        foreach (array('session_timeout', 'password_policy_duration', 'enable_password_policy_constraints',
                        'password_policy_complexity', 'password_policy_length') as $fieldname) {
             if (!empty($pconfig[$fieldname])) {
                 $config['system']['webgui'][$fieldname] = $pconfig[$fieldname];
@@ -71,6 +70,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             }
         }
 
+        if (!empty($pconfig['authmode'])) {
+            $config['system']['webgui']['authmode'] = implode(',', $pconfig['authmode']);
+        } elseif (isset($config['system']['webgui']['authmode'])) {
+            unset($config['system']['webgui']['authmode']);
+        }
 
         write_config();
     }
@@ -78,9 +82,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
 legacy_html_escape_form_data($pconfig);
 include("head.inc");
-?>
 
+?>
 <body>
+
 <style>
     .password_policy_constraints {
         display:none;
@@ -136,10 +141,10 @@ endif;?>
                 <tr>
                   <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Authentication Server"); ?></td>
                   <td>
-                      <select name="authmode" class="selectpicker" data-style="btn-default" >
+                      <select name="authmode[]" multiple="multiple" class="selectpicker" data-style="btn-default">
 <?php
                       foreach (auth_get_authserver_list() as $auth_key => $auth_server) :?>
-                        <option value="<?=$auth_key; ?>" <?=$auth_key == $pconfig['authmode'] ? "selected=\"selected\"" : "";?>>
+                        <option value="<?= $auth_key ?>" <?= in_array($auth_key, $pconfig['authmode']) ? 'selected="selected"' : '' ?>>
                           <?=htmlspecialchars($auth_server['name']);?>
                         </option>
 <?php
@@ -147,23 +152,6 @@ endif;?>
                       </select>
                     </td>
                   </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Authentication Server (fallback)"); ?></td>
-                    <td>
-                        <select name="authmode_fallback" class="selectpicker" data-style="btn-default" >
-<?php
-                        foreach (auth_get_authserver_list() as $auth_key => $auth_server) :?>
-                          <option value="<?=$auth_key; ?>" <?=$auth_key == $pconfig['authmode_fallback'] ? "selected=\"selected\"" : "";?>>
-                            <?=htmlspecialchars($auth_server['name']);?>
-                          </option>
- <?php
-                        endforeach; ?>
-                          <option value="__NO_FALLBACK__" <?= $pconfig['authmode_fallback'] == "__NO_FALLBACK__" ? "selected=\"selected\"" : "";?> >
-                            <?=gettext("--No Fallback--");?>
-                          </option>
-                        </select>
-                      </td>
-                  </tr>
                   <tr>
                     <td><a id="help_for_enable_password_policy_constraints" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Policy'); ?></td>
                     <td>