From szab100 in #7638 (comment)

One suggestion though is that we found --disable-password-auth to be useless, since it blocks user management via the API when enabled. The workaround is that we create users with long, generated passwords that we never share with them. Our suggestion is that instead of making it org-scoped, make it even more flexible by making it user-scoped, eg allow creating users with disabled passwords and/or disable password for already existing users (through API / CLI / UI).