Tackle the multiple credential problem directly rather than work around it. This requires multiple steps:

1. In org.wildfly.security.auth.server.RealmIdentity, the credential access methods should drop credentialType and algorithmName and replace them with a single credentialName. The sole exception should be the getCredential method, which can retain the credentialType parameter in order to perform a soft cast-or-null operation for convenience. The verifyCredential method will need a credentialName parameter added.
2. Add a method to RealmIdentity which can be used to query for the existence of a credential with the given label, e.g. hasCredential(String).
3. Modify org.wildfly.security.auth.server.ModifiableRealmIdentity to add a credentialName parameter to setCredential.
4. Add a method to ModifiableRealmIdentity to delete a single named credential.
5. Modify the setCredentials method of ModifiableRealmIdentity to accept a Map<String,Object> instead of a List<Object>.
6. Add a credential selection mapper mechanism which can consume authentication process information and use it to yield a credential label. Some implementation ideas:
   • A functional interface which accepts the (mapped) name, authentication mechanism type (e.g. SASL vs HTTP vs ???), optional protocol type (e.g. SASL field), actual mechanism name (e.g. "DIGEST-MD5") and yields the label name or a list (in descending order of preference) of label names
   • Note that the approach must be forwards-compatible if we need to add more criteria to the mapping process
7. Provide a default setting which selects a label from a simple predefined scheme based on the kind of authentication being performed (e.g. SASL "DIGEST-MD5" could prefer "sasl-digest" and then "clear-password", SASL "CLEAR" could prefer "password" and then "clear-password", etc.).