Spring Security Providers Should Add an Authority Representing Successful Authentication

If OneTimeTokenAuthenticationProvider issues an authority FACTOR_OTT upon completion, then authorization rules can state that username/password authentication is specifically required for an endpoint through an authorization rule:

http
    .authorizeHttpRequests((authorize) -> authorize
        .requestMatchers("/profile/**").hasAuthority("FACTOR_OTT")
        .anyRequest().authenticated()
    )

It would be valuable for all Spring Security authentication providers to add an authority like this one.