Represents a temporary denial of the credential to authenticate. This is used
to ratelimit and prevent bruteforcing of accounts. At an initial failure the
SoftLock is created and the count set to 1, with a unlock_at set to 1 second
later, and a reset_count_at: at a maximum time window for a cycle.
This is how we store credentials in the server. An account can have many credentials, and
a credential can have many factors. Only successful auth to a credential as a whole unit
will succeed. For example:
A: Credential { password: aaa }
B: Credential { password: bbb, otp: … }
In this case, if we selected credential B, and then provided password “aaa” we would deny
the auth as the password of B was incorrect. Additionally, while A only needs the “password”,
B requires both the password and otp to be valid.
The type of credential that is stored. Each of these represents a full set of ‘what is required’
to complete an authentication session. The reason to have these typed like this is so we can
apply policy later to what classes or levels of credentials can be used. We use these types
to also know what type of auth session handler to initiate.