Network structure (logical)

Authentication servers
Receive usernames and passwords, reply with yes/no or a token
Optionally perform the costly portion of password hashing
Access the database, talk to password hashing HSMs or servers for the portion involving the local parameter
Password hashing HSMs or servers
Are accessible from the authentication servers only
Receive partially computed hashes or passwords to hash, return computed hashes
Other servers needing user authentication
Talk to authentication servers or/and accept tokens