diff --git a/clientconn.go b/clientconn.go
index 688180cc3..2241b9ef5 100644
--- a/clientconn.go
+++ b/clientconn.go
@@ -172,7 +172,7 @@ func WithInsecure() DialOption {
 // connection level security credentials (e.g., TLS/SSL).
 func WithTransportCredentials(auth credentials.TransportAuthenticator) DialOption {
 	return func(o *dialOptions) {
-		o.copts.Authenticators = append(o.copts.Authenticators, auth)
+		o.copts.Authenticator = auth
 	}
 }
 
@@ -369,11 +369,11 @@ func (cc *ClientConn) newAddrConn(addr Address, skipWait bool) error {
 		ac.events = trace.NewEventLog("grpc.ClientConn", ac.addr.Addr)
 	}
 	if !ac.dopts.insecure {
-		if len(ac.dopts.copts.Authenticators) == 0 {
+		if ac.dopts.copts.Authenticator == nil {
 			return errNoTransportSecurity
 		}
 	} else {
-		if len(ac.dopts.copts.Authenticators) > 0 {
+		if ac.dopts.copts.Authenticator != nil {
 			return errCredentialsMisuse
 		}
 		for _, cd := range ac.dopts.copts.Credentials {
diff --git a/transport/http2_client.go b/transport/http2_client.go
index 23ae7897d..59b6c0df4 100644
--- a/transport/http2_client.go
+++ b/transport/http2_client.go
@@ -117,7 +117,7 @@ func newHTTP2Client(addr string, opts *ConnectOptions) (_ ClientTransport, err e
 		return nil, ConnectionErrorf("transport: %v", connErr)
 	}
 	var authInfo credentials.AuthInfo
-	for _, auth := range opts.Authenticators {
+	if opts.Authenticator != nil {
 		scheme = "https"
 		// TODO(zhaoq): Now the first TransportAuthenticator is used if there are
 		// multiple ones provided. Revisit this if it is not appropriate. Probably
@@ -126,8 +126,7 @@ func newHTTP2Client(addr string, opts *ConnectOptions) (_ ClientTransport, err e
 		if timeout > 0 {
 			timeout -= time.Since(startT)
 		}
-		conn, authInfo, connErr = auth.ClientHandshake(addr, conn, timeout)
-		break
+		conn, authInfo, connErr = opts.Authenticator.ClientHandshake(addr, conn, timeout)
 	}
 	if connErr != nil {
 		return nil, ConnectionErrorf("transport: %v", connErr)
diff --git a/transport/transport.go b/transport/transport.go
index 8ec537d43..cf2bdef68 100644
--- a/transport/transport.go
+++ b/transport/transport.go
@@ -338,8 +338,8 @@ type ConnectOptions struct {
 	Dialer func(string, time.Duration) (net.Conn, error)
 	// Credentials stores the credentials required to issue RPCs.
 	Credentials []credentials.Credentials
-	// Authenticators stores the Authenticators required to setup a client connection.
-	Authenticators []credentials.TransportAuthenticator
+	// Authenticator stores the Authenticator required to setup a client connection.
+	Authenticator credentials.TransportAuthenticator
 	// Timeout specifies the timeout for dialing a ClientTransport.
 	Timeout time.Duration
 }