It might also be helpful to think about this in a general sense, without being too coupled to Form + BASIC.
I believe the problem we're trying to solve is: 1. I don't care how my user is authenticated - just that they are authenticated. 2. If they're not authenticated yet, I want them to be authenticated via one of X, Y or Z (or more) means. It might be better to come up with a mechanism for this rather than focusing on Form + BASIC details specifically (e.g. throw X.509 into the mix or something else).
