A handy AccessDeniedHandler implementation would be one that allows an authority like FACTOR_PASSWORD to be bound to an entry point, like new LoginUrlAuthenticationEntryPoint("/login").

With a map of factors to entry points, this access denied handler could allow an already authenticated user to obtain more authorities.