So let's set a simple initial goal. I would vote for looking at username/ password authentication against external systems as a first step.
I second your vote. The immediate request I have before me is: to be able to authenticate against an LDAP or Radius or Kerberos server. All are instances of username/password authentication.