Interesting. I think what I'd do instead of this would be set requires_preauth on all your user principals. I agree your proposed change is reasonable however.