diff --git a/CHANGES b/CHANGES
index 1cfa7eb7c0a74c6d9f32f8da7034a2d91ae655c9..542b814abcbfd2e47d6e2530ac655c6d6e7da282 100644
--- a/CHANGES
+++ b/CHANGES
@@ -181,6 +181,8 @@ chan_iax2
    seconds. Setting this to a higher value may help in lagged networks or those
    experiencing high packet loss.
 
+ * Plaintext auth mode is deprecated and removed from possible default modes.
+
 chan_rtp (was chan_multicast_rtp)
 ------------------
  * Added unicast RTP support and renamed chan_multicast_rtp to chan_rtp.
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 456ba8f1ed102a67126a60b2e3208afebe39f6eb..04cdad1e407afc4353c0771f3f1a9f6d2b7e589d 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -7997,7 +7997,7 @@ static int check_access(int callno, struct ast_sockaddr *addr, struct iax_ies *i
 		  * Set authmethods to the last known authmethod used by the system
 		  * Set a fake secret, it's not looked at, just required to attempt authentication.
 		  * Set authrej so the AUTHREP is rejected without even looking at its contents */
-		iaxs[callno]->authmethods = last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
+		iaxs[callno]->authmethods = last_authmethod ? last_authmethod : IAX_AUTH_MD5;
 		ast_string_field_set(iaxs[callno], secret, "badsecret");
 		iaxs[callno]->authrej = 1;
 		if (!ast_strlen_zero(iaxs[callno]->username)) {
@@ -9192,7 +9192,7 @@ static int registry_authrequest(int callno)
 	 * peer does not exist, and vice-versa.
 	 * Therefore, we use whatever the last peer used (which may vary over the
 	 * course of a server, which should leak minimal information). */
-	sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
+	sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : IAX_AUTH_MD5;
 	if (!p) {
 		iaxs[callno]->authmethods = sentauthmethod;
 	}
@@ -12870,6 +12870,9 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st
 				}
 			} else if (!strcasecmp(v->name, "auth")) {
 				peer->authmethods = get_auth_methods(v->value);
+				if (peer->authmethods & IAX_AUTH_PLAINTEXT) {
+					ast_log(LOG_WARNING, "Auth method for peer '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", peer->name, v->lineno);
+				}
 			} else if (!strcasecmp(v->name, "encryption")) {
 				peer->encmethods |= get_encrypt_methods(v->value);
 				if (!peer->encmethods) {
@@ -13040,7 +13043,7 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st
 			}
 		}
 		if (!peer->authmethods)
-			peer->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+			peer->authmethods = IAX_AUTH_MD5;
 		ast_clear_flag64(peer, IAX_DELME);
 	}
 
@@ -13189,6 +13192,9 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st
 				}
 			} else if (!strcasecmp(v->name, "auth")) {
 				user->authmethods = get_auth_methods(v->value);
+				if (user->authmethods & IAX_AUTH_PLAINTEXT) {
+					ast_log(LOG_WARNING, "Auth method for user '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", user->name, v->lineno);
+				}
 			} else if (!strcasecmp(v->name, "encryption")) {
 				user->encmethods |= get_encrypt_methods(v->value);
 				if (!user->encmethods) {
@@ -13321,13 +13327,13 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st
 		}
 		if (!user->authmethods) {
 			if (!ast_strlen_zero(user->secret)) {
-				user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+				user->authmethods = IAX_AUTH_MD5;
 				if (!ast_strlen_zero(user->inkeys))
 					user->authmethods |= IAX_AUTH_RSA;
 			} else if (!ast_strlen_zero(user->inkeys)) {
 				user->authmethods = IAX_AUTH_RSA;
 			} else {
-				user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+				user->authmethods = IAX_AUTH_MD5;
 			}
 		}
 		ast_clear_flag64(user, IAX_DELME);