Yeah! That is identical to my implementation!
I love how you split your authentication into different steps. That was one of my main intentions when introducing the operation-wide policy object. It'll be cool to have that policy instance in forms, too, etc. Pretty sure a few more standards/conventions will evolve here shortly.