How deep do you authenticate? - Accessing applications usually entails some kind of identity. Some part(s) of your application provide identity (called IdP), while other's consume it (paraphrased from Captain Obvious). Identity could be provided from a record or document in your or another database, an LDAP directory, an OICD or a 3d party like your eMail provider or social account, or with some hoops and loops Webauthn (a.k.a passkey).
The question is: how deep does it go ?
This is a companion discussion topic for the original entry at https://wissel.net/blog/2024/06/how-deep-do-you-authenticate.html