Comment 5 for bug 1299012

Neither password or token auth plugins are considered 2-factor. There are a number of ways to implement multi-factor authentication and the V3 auth methods does not dictate one way or the other. For example, you can implement 2-factor auth in a single auth method payload where the password is the combination of one time passcode and a static pin. It is up to the plug-in implementations to reconcile the attributes of an identity (or user_context). The identity attributes are conveyed in the user_context, which is shared among the plugins.

Having said that, I agree we need to fix the password and token auth plugins to agree on the user_id. But I don't think they pose a security problem right now.