diff --git a/etc/emqx.conf b/etc/emqx.conf
index 10142fd1e..82ec0dc8c 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -849,6 +849,11 @@ zone.internal.ignore_loop_deliver = false
 ## Value: true | false
 zone.internal.strict_mode = false
 
+## Allow the zone's clients to bypass authentication step
+##
+## Value: true | false
+zone.internal.bypass_auth_plugins = true
+
 ##--------------------------------------------------------------------
 ## Listeners
 ##--------------------------------------------------------------------
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 468dfc343..db4421c91 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -939,6 +939,12 @@ end}.
   {datatype, {enum, [true, false]}}
 ]}.
 
+%% @doc Whether to bypass the authentication step
+{mapping, "zone.$name.bypass_auth_plugins", "emqx.zones", [
+  {default, false},
+  {datatype, {enum, [true, false]}}
+]}.
+
 {translation, "emqx.zones", fun(Conf) ->
   Mapping = fun("publish_limit", Val) ->
                     [L, D] = string:tokens(Val, ", "),
diff --git a/src/emqx_access_control.erl b/src/emqx_access_control.erl
index 4ee62a42e..e891ca275 100644
--- a/src/emqx_access_control.erl
+++ b/src/emqx_access_control.erl
@@ -34,11 +34,12 @@
 
 -spec(authenticate(emqx_types:clientinfo()) -> {ok, result()} | {error, term()}).
 authenticate(ClientInfo = #{zone := Zone}) ->
-    case run_hooks('client.authenticate', [ClientInfo], default_auth_result(Zone)) of
-        Result = #{auth_result := success} ->
-            {ok, Result};
-	    Result ->
-            {error, maps:get(auth_result, Result, unknown_error)}
+    AuthResult = default_auth_result(Zone),
+    case emqx_zone:get_env(Zone, bypass_auth_plugins, false) of
+        true ->
+            return_auth_result(AuthResult);
+        false ->
+            return_auth_result(run_hooks('client.authenticate', [ClientInfo], AuthResult))
     end.
 
 %% @doc Check ACL
@@ -81,3 +82,8 @@ default_auth_result(Zone) ->
 run_hooks(Name, Args, Acc) ->
     ok = emqx_metrics:inc(Name), emqx_hooks:run_fold(Name, Args, Acc).
 
+-compile({inline, [return_auth_result/1]}).
+return_auth_result(Result = #{auth_result := success}) ->
+    {ok, Result};
+return_auth_result(Result) ->
+    {error, maps:get(auth_result, Result, unknown_error)}.
diff --git a/test/emqx_access_control_SUITE.erl b/test/emqx_access_control_SUITE.erl
index 34a0b83b1..ca4db1fbb 100644
--- a/test/emqx_access_control_SUITE.erl
+++ b/test/emqx_access_control_SUITE.erl
@@ -52,6 +52,20 @@ t_check_acl(_) ->
 t_reload_acl(_) ->
     ?assertEqual(ok, emqx_access_control:reload_acl()).
 
+t_bypass_auth_plugins(_) ->
+    AuthFun = fun(#{zone := bypass_zone}, AuthRes) ->
+                      {stop, AuthRes#{auth_result => password_error}};
+                 (#{zone := _}, AuthRes) ->
+                      {stop, AuthRes#{auth_result => success}}
+              end,
+    ClientInfo = clientinfo(),
+    emqx_zone:set_env(bypass_zone, allow_anonymous, true),
+    emqx_zone:set_env(zone, allow_anonymous, false),
+    emqx_zone:set_env(bypass_zone, bypass_auth_plugins, true),
+    emqx:hook('client.authenticate', AuthFun, []),
+    ?assertMatch({ok, _}, emqx_access_control:authenticate(ClientInfo#{zone => bypass_zone})),
+    ?assertMatch({ok, _}, emqx_access_control:authenticate(ClientInfo)).
+
 %%--------------------------------------------------------------------
 %% Helper functions
 %%--------------------------------------------------------------------
diff --git a/test/emqx_logger_formatter_SUITE.erl b/test/emqx_logger_formatter_SUITE.erl
index 6699ae68c..3d7469dca 100644
--- a/test/emqx_logger_formatter_SUITE.erl
+++ b/test/emqx_logger_formatter_SUITE.erl
@@ -20,6 +20,7 @@
 -module(emqx_logger_formatter_SUITE).
 
 -compile(export_all).
+-compile(nowarn_export_all).
 
 -include_lib("eunit/include/eunit.hrl").
 -include_lib("common_test/include/ct.hrl").