diff --git a/tljh/configurer.py b/tljh/configurer.py
index 4597712fe..da0794849 100644
--- a/tljh/configurer.py
+++ b/tljh/configurer.py
@@ -149,27 +149,49 @@ def update_base_url(c, config):
 
 def update_auth(c, config):
     """
-    Set auth related configuration from YAML config file
-
-    Use auth.type to determine authenticator to use. All parameters
-    in the config under auth.{auth.type} will be passed straight to the
-    authenticators themselves.
+    Set auth related configuration from YAML config file.
+
+    As an example, this function should update the following TLJH auth
+    configuration:
+
+    ```yaml
+    auth:
+      type: oauthenticator.github.GitHubOAuthenticator
+      GitHubOAuthenticator:
+        client_id: "..."
+        client_secret: "..."
+        oauth_callback_url: "..."
+      ArbitraryKey:
+        arbitrary_key: "..."
+        arbitrary_key_with_none_value:
+    ```
+
+    by applying the following configuration:
+
+    ```python
+    c.JupyterHub.authenticator_class = "oauthenticator.github.GitHubOAuthenticator"
+    c.GitHubOAuthenticator.client_id = "..."
+    c.GitHubOAuthenticator.client_secret = "..."
+    c.GitHubOAuthenticator.oauth_callback_url = "..."
+    c.ArbitraryKey.arbitrary_key = "..."
+    ```
+
+    Note that "auth.type" and "auth.ArbitraryKey.arbitrary_key_with_none_value"
+    are treated a bit differently. auth.type will always map to
+    c.JupyterHub.authenticator_class and any configured value being None won't
+    be set.
     """
-    auth = config.get('auth')
-
-    # FIXME: Make sure this is something importable.
-    # FIXME: SECURITY: Class must inherit from Authenticator, to prevent us being
-    # used to set arbitrary properties on arbitrary types of objects!
-    authenticator_class = auth['type']
-    # When specifying fully qualified name, use classname as key for config
-    authenticator_configname = authenticator_class.split('.')[-1]
-    c.JupyterHub.authenticator_class = authenticator_class
-    # Use just class name when setting config. If authenticator is "dummy", its
-    # config will be set under c.DummyAuthenticator
-    authenticator_parent = getattr(c, authenticator_class.split('.')[-1])
-
-    for k, v in auth.get(authenticator_configname, {}).items():
-        set_if_not_none(authenticator_parent, k, v)
+    tljh_auth_config = config['auth']
+    c.JupyterHub.authenticator_class = tljh_auth_config['type']
+
+    for auth_key, auth_value in tljh_auth_config.items():
+        if auth_key == "type":
+            continue
+        traitlet_class_name = auth_key
+        traitlet_class_config = auth_value
+        traitlet_class_instance = getattr(c, traitlet_class_name)
+        for config_name, config_value in traitlet_class_config.items():
+            set_if_not_none(traitlet_class_instance, config_name, config_value)
 
 
 def update_userlists(c, config):