Want to add another layer of authentication to the default Drupal login? Say, by calling a company’s internal web service? Here’s a clean approach I’ve taken. Notice that we are inserting our secondary authentication into the validators, rather than overriding anything. Also notice that if we authenticate against our local Drupal DB, there’s no reason to look at the secondary web service or DB, but rather we only look if our default local authentication failed. Then, if we authenticate against our secondary source, we create a user to be used later on.