...
Another way to think of it is this: This concept extends beyond pure "levels" of authentication (where one is always better than another) to "types" of authentication (where each type has pros and cons that make it better or worse under varying circumstances). One example would be related to PCI compliance. As an organization, we might say that the two-factor combination of a simple password plus Google Authenticator is stronger than a complex password. But PCI rules might say that all users need a strong password regardless of whether or not they have Google authenticator. Thus, the systems that need to be PCI compliant would need to be configured to handle an exception to the rule and reject something that the rest of the organization thinks is strong.
Jérôme :
Just to be sure : you want to keep the ability to request a specific authentication method (and not a level of authentication), correct ?
But, how do you do that with authentication constraint ? What do you imagine as a syntax ?
V. Main algorithm
A) Diagram
...