Accounts API shouldn't commit to a specific authentication mechanism

[glasserc]

Currently, the Accounts API is a wrapper around and replacement for the "basic auth" authentication mechanism. It allows us to detect a failed basic authenication as well as to update credentials for a given basic authentication without having to update the permissions on every object in the database. However, because an authentication mechanism is "baked in" to the accounts API, these benefits do not apply in other cases, such as when someone using the Portier mechanism changes their email address, or when someone wants to change their authentication mechanism from Portier to FXA or vice versa.

To address this, we should allow an account to be created with any authentication mechanism rather than just a username and password.

[Natim]

This is the next level which is to be able to link to a user multiple auth mecanisms. Today we didn't find ourselves needing it but I can definitely see how it could be interesting.

Note that everything you describe here is already doable using groups. You can create a group and then link all the differents user auth principals to that group.