Trying to build a secure, configurable and easy to use authentication system (relative to my understanding)

I have experienced knowledge gaps and blind spots that I am attempting to fix. For example most users worry about security of hashed passwords and yet they do not realize that the TOTP (eg Google Authenticator) use symmetric encryption and quite a lot of the authentication providers store the private key in plain text in their database. List goes on...