The current Authentication SPI needs a clean-up before we can mark it as supported. There are also a number of use-cases we need to consider to make sure the SPI supports these:

• Step-up-authentication levels / level of assurance
• Ability to introduce custom credential types that can be configured through account management console and/or admin console
• Alternative two-factor mechanisms (e.g. Google Authenticator as default, SMS as backup)
• Alternative login-mechanisms (e.g. username/password as default, BankID as backup)
• Remember machine option (only ask for two factor every 30 days)
• Push/async authentication mechanisms (non blocking)