Some implementations may require to have a custom login process like the Two-factor authentication. But actually the process is kinda hard coded in the client which leaves no room for such customization. Of course the login process should be customizable per database instance.
We should let the login method request more data than just the password. This will be achieved by raising a specific exception which will describe what data is required to go further in the process. The client will fill a parameter dictionary with all the data requested and pass it to the login method. Once the login method has enough parameters, it will authenticate the user.
The same design will apply to renew an expired session.
As we will have many modules that could implement login methods, we will add a configuration option that will list in preferred order the methods to use. If a method can not authenticate the user, the next one will be used.
We will not change the design of the session as I don’t think it needs modification.
The drawback is that some login method will not be compatible with the basic HTTP authentication. It is quite normal as such method is basic. But developer could still add as default fall-back the current method and maybe with some check on which user is allowed to use this method.