Trace the flow: "The form authenticator extracts email and password from the request, the user provider loads the entity by email, the password hasher verifies the hash, and the security system creates an authenticated token stored in the session."
User providers load user objects from storage (entity provider from the database, memory provider for testing). Authenticators handle the authentication logic: extracting credentials from the request, validating them, and creating the security token. The password hasher handles secure password storage (bcrypt or argon2id). Flow: firewall triggers the authenticator, which gets credentials, loads the user via the provider, verifies the password via the hasher, and creates an authenticated token. Strong candidates discuss: custom authenticators for API tokens or JWT, remember-me functionality, login throttling, the security token and how it relates to the session, and logout handlers.
Core Symfony security knowledge. Candidates who cannot explain the authentication flow will struggle to debug login issues or implement custom authentication. Those who understand the full chain from request to token build secure auth systems.