diff --git a/src/Security/Authenticator.php b/src/Security/Authenticator.php
index f13bf2023..c4f66b121 100644
--- a/src/Security/Authenticator.php
+++ b/src/Security/Authenticator.php
@@ -108,7 +108,7 @@ interface Authenticator
      * @param ValidationResult $result A validationresult which is either valid or contains the error message(s)
      * @return Member The matched member, or null if the authentication fails
      */
-    public function authenticate($data, &$result = null);
+    public function authenticate($data, ValidationResult &$result = null);
 
     /**
      * Check if the passed password matches the stored one (if the member is not locked out).
@@ -121,5 +121,5 @@ interface Authenticator
      * @param ValidationResult $result
      * @return ValidationResult
      */
-    public function checkPassword(Member $member, $password, ValidationResult $result = null);
+    public function checkPassword(Member $member, $password, ValidationResult &$result = null);
 }
diff --git a/src/Security/Member.php b/src/Security/Member.php
index 70db4e479..e11c76d56 100644
--- a/src/Security/Member.php
+++ b/src/Security/Member.php
@@ -330,7 +330,7 @@ class Member extends DataObject
      * @param ValidationResult $result Optional result to add errors to
      * @return ValidationResult
      */
-    public function validateCanLogin(ValidationResult $result = null)
+    public function validateCanLogin(ValidationResult &$result = null)
     {
         $result = $result ?: ValidationResult::create();
         if ($this->isLockedOut()) {
diff --git a/src/Security/MemberAuthenticator/CMSLoginHandler.php b/src/Security/MemberAuthenticator/CMSLoginHandler.php
index bd588c231..f30cdb7db 100644
--- a/src/Security/MemberAuthenticator/CMSLoginHandler.php
+++ b/src/Security/MemberAuthenticator/CMSLoginHandler.php
@@ -41,7 +41,7 @@ class CMSLoginHandler extends LoginHandler
     protected function redirectToChangePassword()
     {
         // Since this form is loaded via an iframe, this redirect must be performed via javascript
-        $changePasswordForm = ChangePasswordForm::create($this->form->getController(), 'ChangePasswordForm');
+        $changePasswordForm = ChangePasswordForm::create($this, 'ChangePasswordForm');
         $changePasswordForm->sessionMessage(
             _t('SilverStripe\\Security\\Member.PASSWORDEXPIRED', 'Your password has expired. Please choose a new one.'),
             'good'
diff --git a/src/Security/MemberAuthenticator/CMSMemberAuthenticator.php b/src/Security/MemberAuthenticator/CMSMemberAuthenticator.php
index 3a7034950..467823b4d 100644
--- a/src/Security/MemberAuthenticator/CMSMemberAuthenticator.php
+++ b/src/Security/MemberAuthenticator/CMSMemberAuthenticator.php
@@ -23,7 +23,7 @@ class CMSMemberAuthenticator extends MemberAuthenticator
      * @param Member|null $member
      * @return Member
      */
-    protected function authenticateMember($data, &$result = null, $member = null)
+    protected function authenticateMember($data, ValidationResult &$result = null, Member $member = null)
     {
         // Attempt to identify by temporary ID
         if (!empty($data['tempid'])) {
diff --git a/src/Security/MemberAuthenticator/LoginHandler.php b/src/Security/MemberAuthenticator/LoginHandler.php
index 74e8b1425..31a2b00c4 100644
--- a/src/Security/MemberAuthenticator/LoginHandler.php
+++ b/src/Security/MemberAuthenticator/LoginHandler.php
@@ -113,6 +113,7 @@ class LoginHandler extends RequestHandler
 
         $this->extend('beforeLogin');
         // Successful login
+        /** @var ValidationResult $result */
         if ($member = $this->checkLogin($data, $result)) {
             $this->performLogin($member, $data, $form->getRequestHandler()->getRequest());
             // Allow operations on the member after successful login
@@ -209,7 +210,7 @@ class LoginHandler extends RequestHandler
      * @return Member Returns the member object on successful authentication
      *                or NULL on failure.
      */
-    public function checkLogin($data, &$result)
+    public function checkLogin($data, ValidationResult &$result = null)
     {
         $member = $this->authenticator->authenticate($data, $result);
         if ($member instanceof Member) {
diff --git a/src/Security/MemberAuthenticator/MemberAuthenticator.php b/src/Security/MemberAuthenticator/MemberAuthenticator.php
index 02bf1e244..0068b6270 100644
--- a/src/Security/MemberAuthenticator/MemberAuthenticator.php
+++ b/src/Security/MemberAuthenticator/MemberAuthenticator.php
@@ -36,7 +36,7 @@ class MemberAuthenticator implements Authenticator
      * @param null|ValidationResult $result
      * @return null|Member
      */
-    public function authenticate($data, &$result = null)
+    public function authenticate($data, ValidationResult &$result = null)
     {
         // Find authenticated member
         $member = $this->authenticateMember($data, $result);
@@ -56,10 +56,10 @@ class MemberAuthenticator implements Authenticator
      *
      * @param array $data Form submitted data
      * @param ValidationResult $result
-     * @param Member|null This third parameter is used in the CMSAuthenticator(s)
-     * @return Member|null Found member, regardless of successful login
+     * @param Member $member This third parameter is used in the CMSAuthenticator(s)
+     * @return Member Found member, regardless of successful login
      */
-    protected function authenticateMember($data, &$result = null, $member = null)
+    protected function authenticateMember($data, ValidationResult &$result = null, Member $member = null)
     {
         $email = !empty($data['Email']) ? $data['Email'] : null;
         $result = $result ?: ValidationResult::create();
@@ -128,7 +128,7 @@ class MemberAuthenticator implements Authenticator
      * @param ValidationResult $result
      * @return ValidationResult
      */
-    public function checkPassword(Member $member, $password, ValidationResult $result = null)
+    public function checkPassword(Member $member, $password, ValidationResult &$result = null)
     {
         // Check if allowed to login
         $result = $member->validateCanLogin($result);
diff --git a/src/Security/MemberAuthenticator/MemberLoginForm.php b/src/Security/MemberAuthenticator/MemberLoginForm.php
index ef61dfc4f..b6b7e8809 100644
--- a/src/Security/MemberAuthenticator/MemberLoginForm.php
+++ b/src/Security/MemberAuthenticator/MemberLoginForm.php
@@ -77,8 +77,7 @@ class MemberLoginForm extends BaseLoginForm
         $actions = null,
         $checkCurrentUser = true
     ) {
-
-        $this->controller = $controller;
+        $this->setController($controller);
         $this->authenticator_class = $authenticatorClass;
 
         $customCSS = project() . '/css/member_login.css';
@@ -125,13 +124,14 @@ class MemberLoginForm extends BaseLoginForm
      */
     protected function getFormFields()
     {
-        if ($this->controller->request->getVar('BackURL')) {
-            $backURL = $this->controller->request->getVar('BackURL');
+        $request = $this->getController()->getRequest();
+        if ($request->getVar('BackURL')) {
+            $backURL = $request->getVar('BackURL');
         } else {
             $backURL = Session::get('BackURL');
         }
 
-        $label = Member::singleton()->fieldLabel(Member::config()->unique_identifier_field);
+        $label = Member::singleton()->fieldLabel(Member::config()->get('unique_identifier_field'));
         $fields = FieldList::create(
             HiddenField::create("AuthenticationMethod", null, $this->authenticator_class, $this),
             // Regardless of what the unique identifer field is (usually 'Email'), it will be held in the