NOTE: This is a ticket that the Spring Security team is reviewing for inclusion. It's not considered ready to implement yet. When it is, this disclaimer will be removed and the title may change
Since authentication factors are strongly implied by the factor names, there may be value (possibly in conjuction with https://github.com/spring-projects/spring-security/issues/17960) in configuring HttpSecurity with the mechanisms specified in the annotation.
For example,
@EnableGlobalMultifactorAuthentication(authorities = { FACTOR_X509_AUTHORITY, FACTOR_OTT_AUTHORITY })
Strongly implies that
.x509(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults())
will be needed.
It's not clear how much this buys since many mechanisms require additional beans like UserDetailsService and TokenGenerationSuccessHandler to be fully configured. The nice thing is that it removes the need to add this customizer to HttpSecurity.