So I'm wondering if any of these would be useful; to anyone else...
Add an event to authenticate and createUser methods that occurs earlier in the method, to preset values (ie password before hash, so we can set a generated password before the hash section of createUser).
Instead of using Object user = userClass.newInstance(); try to find an @Factory(user) to create the object first.
Currently, authenticate ends with return success; which won't work properly if we want to add custom extra auth checking in the method. currently we'd have to throw an exception in the post auth observer to stop the authentication, which seems like a hack to me.