[PaulHoule]

The thing I am worried about is not "slow" or "complex" in the sense of it being a lot of code. What I am worried about is it being "correct".

I work on a subscription service where there are numerous ways to "log in" like maybe your IP address tells us you work for one of our members, or we integrate with the SSO for your organization, it might even be both -- on campus you use your IP but you need your SSO from home or on campus you might use the SSO not for access but to tell us who you are so you can access features like bookmarks. For other members you log in with a username and password. And there are even more ways to log in.

You'd better believe we have to think about this complexity whenever we work on the auth system but it is worth because of these things serves a certain tranche of customers.

[Gnobu]

That makes a lot of sense especially the focus on correctness. What you described is interesting because even with multiple login paths (IP, SSO, credentials), you’re already adapting identity based on context, just in a structured way. I guess the challenge I’m thinking about is what happens after login — when behavior starts to shift. Do your systems treat identity as stable at that point, or do they continue adjusting based on what the user is doing?