We currently have an MR where we're overhauling some of the auth, and I know in the future we do want to explore what else we could add/improve for our backends :)
The only hole I found was if you bypass UI hashing you can create an account that can never be logged in to, but... that's the most secure account I can think of.