[Just a placeholder, to make sure I don't forget, I'll add details later]

During the SymfonyWorld keynote, people suggested to add an option like required_badges were you can on an application level require which badges should be set on the password. This should avoid e.g. loading a 3rd party authenticator that somehow removed the CsrfBadge badge - while you think you still have CSRF support.