diff --git a/configs/development.ini b/configs/development.ini
--- a/configs/development.ini
+++ b/configs/development.ini
@@ -199,6 +199,21 @@ default_encoding = UTF-8
 ## all running rhodecode instances. Leave empty if you don't use it
 instance_id =
 
+## Fallback authentication plugin. Set this to a plugin ID to force the usage
+## of an authentication plugin also if it is disabled by it's settings.
+## This could be useful if you are unable to log in to the system due to broken
+## authentication settings. Then you can enable e.g. the internal rhodecode auth
+## module to log in again and fix the settings.
+##
+## Available builtin plugin IDs (hash is part of the ID):
+## egg:rhodecode-enterprise-ce#rhodecode
+## egg:rhodecode-enterprise-ce#pam
+## egg:rhodecode-enterprise-ce#ldap
+## egg:rhodecode-enterprise-ce#jasig_cas
+## egg:rhodecode-enterprise-ce#headers
+## egg:rhodecode-enterprise-ce#crowd
+#rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
+
 ## alternative return HTTP header for failed authentication. Default HTTP
 ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
 ## handling that causing a series of failed authentication calls.
diff --git a/configs/production.ini b/configs/production.ini
--- a/configs/production.ini
+++ b/configs/production.ini
@@ -173,6 +173,21 @@ default_encoding = UTF-8
 ## all running rhodecode instances. Leave empty if you don't use it
 instance_id =
 
+## Fallback authentication plugin. Set this to a plugin ID to force the usage
+## of an authentication plugin also if it is disabled by it's settings.
+## This could be useful if you are unable to log in to the system due to broken
+## authentication settings. Then you can enable e.g. the internal rhodecode auth
+## module to log in again and fix the settings.
+##
+## Available builtin plugin IDs (hash is part of the ID):
+## egg:rhodecode-enterprise-ce#rhodecode
+## egg:rhodecode-enterprise-ce#pam
+## egg:rhodecode-enterprise-ce#ldap
+## egg:rhodecode-enterprise-ce#jasig_cas
+## egg:rhodecode-enterprise-ce#headers
+## egg:rhodecode-enterprise-ce#crowd
+#rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
+
 ## alternative return HTTP header for failed authentication. Default HTTP
 ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
 ## handling that causing a series of failed authentication calls.