diff --git a/mysql-test/suite/plugins/r/multiauth.result b/mysql-test/suite/plugins/r/multiauth.result
index a62532e3225..7b6465c3040 100644
--- a/mysql-test/suite/plugins/r/multiauth.result
+++ b/mysql-test/suite/plugins/r/multiauth.result
@@ -193,3 +193,16 @@ user()	current_user()	database()
 mysqltest1@localhost	mysqltest1@%	test
 drop user mysqltest1;
 uninstall soname 'auth_ed25519';
+create user mysqltest1 identified via mysql_native_password as password("good") OR unix_socket;
+show create user mysqltest1;
+CREATE USER for mysqltest1@%
+CREATE USER `mysqltest1`@`%` IDENTIFIED VIA mysql_native_password USING '*8409037B3E362D6DAE24C8E667F4D3B66716144E' OR unix_socket
+alter user mysqltest1 identified via mysql_native_password as password("better");
+show create user mysqltest1;
+CREATE USER for mysqltest1@%
+CREATE USER `mysqltest1`@`%` IDENTIFIED BY PASSWORD '*6E6CABC9967AB586F009616BA69DAC2953849C88'
+flush privileges;
+show create user mysqltest1;
+CREATE USER for mysqltest1@%
+CREATE USER `mysqltest1`@`%` IDENTIFIED BY PASSWORD '*6E6CABC9967AB586F009616BA69DAC2953849C88'
+drop user mysqltest1;
diff --git a/mysql-test/suite/plugins/t/multiauth.test b/mysql-test/suite/plugins/t/multiauth.test
index ffd4851c20d..cc6fc0c8644 100644
--- a/mysql-test/suite/plugins/t/multiauth.test
+++ b/mysql-test/suite/plugins/t/multiauth.test
@@ -194,3 +194,14 @@ drop user mysqltest1;
 
 uninstall soname 'auth_ed25519';
 --remove_file $MYSQLTEST_VARDIR/tmp/peercred_test.txt
+
+#
+# MDEV-21928 ALTER USER doesn't remove excess authentication plugins from mysql.global_priv
+#
+create user mysqltest1 identified via mysql_native_password as password("good") OR unix_socket;
+show create user mysqltest1;
+alter user mysqltest1 identified via mysql_native_password as password("better");
+show create user mysqltest1;
+flush privileges;
+show create user mysqltest1;
+drop user mysqltest1;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index d210403a269..6f403d9ade6 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1425,9 +1425,12 @@ class User_table_json: public User_table
 
   bool set_auth(const ACL_USER &u) const
   {
-    StringBuffer<JSON_SIZE> json(m_table->field[2]->charset());
-    if (u.nauth == 1)
+    size_t array_len;
+    const char *array;
+    if (u.nauth == 1 && get_value("auth_or", JSV_ARRAY, &array, &array_len))
       return set_auth1(u, 0);
+
+    StringBuffer<JSON_SIZE> json(m_table->field[2]->charset());
     bool top_done = false;
     json.append('[');
     for (uint i=0; i < u.nauth; i++)