So I've actually been using the credentials API for some of my work
towards MFA, different types of MFA, and even different stages for MFA.
For example (totp in this case), I first have a service create a user's
totp secret as type 'totp-draft' so that the totp auth method can't use
it, but so
At the PTG in Atlanta, we talked about deprecating the policy and
credential APIs. The policy API doesn't do anything and secrets shouldn't
be stored in credential API. Reasoning and outcomes can be found in the
etherpad from the session [0]. There was some progress made on the policy
API [1], but
