diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index 245d7d5fc..4b1f0c55f 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -103,12 +103,10 @@ The configs here work as default values which can be overriden
 in <code>zone</code> configs"""
           })}
     , {"authentication",
-      sc(hoconsc:lazy(hoconsc:array(map())),
-         #{ desc =>
+       authentication(
 """Default authentication configs for all MQTT listeners.<br>
 For per-listener overrides see <code>authentication</code>
-in listener configs"""
-          })}
+in listener configs""")}
     , {"authorization",
        sc(ref("authorization"),
           #{})}
@@ -903,8 +901,7 @@ mqtt_listener() ->
           #{})
       }
     , {"authentication",
-       sc(hoconsc:lazy(hoconsc:array(map())),
-          #{})
+       authentication("Per-listener authentication override")
       }
     ].
 
@@ -1356,3 +1353,13 @@ str(B) when is_binary(B) ->
     binary_to_list(B);
 str(S) when is_list(S) ->
     S.
+
+authentication(Desc) ->
+    #{ type => hoconsc:union([typerefl:map(), hoconsc:array(typerefl:map())])
+     , desc => [Desc, "<br>", """
+Authentication can be one single authenticator instance or a chain of authenticators as an array.
+The when authenticating a login (username, client ID, etc.) the authenticators are checked
+in the configured order.
+"""
+               ]
+     }.
diff --git a/apps/emqx_authn/src/emqx_authn.erl b/apps/emqx_authn/src/emqx_authn.erl
index a49aacff4..fbd31c5d2 100644
--- a/apps/emqx_authn/src/emqx_authn.erl
+++ b/apps/emqx_authn/src/emqx_authn.erl
@@ -33,6 +33,8 @@ providers() ->
     , {{scram, 'built-in-database'}, emqx_enhanced_authn_scram_mnesia}
     ].
 
+check_configs(C) when is_map(C) ->
+    check_configs([C]);
 check_configs([]) -> [];
 check_configs([Config | Configs]) ->
     [check_config(Config) | check_configs(Configs)].