At the moment, the account is inferred from the auth token.
Coupling account name and auth secret in such a way is not a good idea for a couple of reasons:
If an attacker somehow obtains an account name, which is not difficult since account names are no secret information, it will be easy to recompute a password from the acount name. To draw a more familiar analogy with web applications: This is like if a web app would just hash user passwords without adding any salt and then publish all unsalted hashes. It would be trivial for an attacker to recompute user passwords with a dictionary attack.
A user cannot change his password/auth token. A different password maps to another account and, hence, changing the password is not possible without changing the account name.
If a user forgot his password, he permanently lost access to his account. Typicall "Password Forgotten" functionality cannot be implemented.
Why not simply use the username that is provided in the BTP auth packet?
At the moment, the account is inferred from the auth token.
Coupling account name and auth secret in such a way is not a good idea for a couple of reasons:
Why not simply use the username that is provided in the BTP auth packet?