I'm still a novice with phpBB, but I can already see that you may wish to review the way your product authenticates.
I think what you'll see more and more is a separation of authentication (and sometimes authorization) from the application itself.
Many products already provide single sign-on via Apache modules or ISAPI filters. For example, SiteMinder, Ping, and Oracle SSO. What these tools do is intercept web requests, authenticate users via redirects, then redirect the user back to the original site with headers containing the user information. They are much more secure than application-based authentication.
A site using such an SSO module can either have embedded logic to process the user information or can pass the user information to another engine which does fine-grained authorization.
I think there are two things that phpBB needs to support such systems.
First, it needs to separate the user identifier from the display name. The "key" to the user should ideally be a one-way hashed GUID (to allow for certain privacy standards). The display name would either come from the sso header or from a user preference.
The second thing needed is that the idea of logging on must be totally configurable. The sso module does that. phpBB only needs to consume the variables and set the user context.
I hope that makes a bit of sense.