Description
There are various reasons why an app may need to login a user without the user having to go through the configured authenticators. A few examples I ran into are logging the user in after a password reset, or after the registration confirmation email was clicked.

Example
IMO a great API to have would be Security::programmaticLogin(Request $request, UserInterface $user, ?AuthenticatorInterface $authenticator = null)

After discussing this with @wouterj - it appears that the main complexity here is in choosing which Token class should be used. IMO it'd be fine to by default, pick the default authenticator for the current firewall, and make that one authenticate the user via createAuthenticatedToken. If that's not ok the developer can optionally pass the correct authenticator.

Why?
I had to figure this out myself and it took some help from @wouterj + some trial and error to arrive at this code:

        try {
            $this->userChecker->checkPreAuth($event->getUser());
        } catch (AuthenticationException $e) {
            // skip authenticating if any pre-auth check does not pass
            return;
        }
        if (($response = $this->userAuthenticator->authenticateUser($event->getUser(), $this->myPreferredAuthenticator, $event->getRequest()))) {
            return $response;
        }

Now as you can see, you have to know about UserAuthenticatorInterface to get that service injected, you then have to also figure out what the class name of your preferred authenticator is to get that injected, and then I also had to remember to call the user checker otherwise inactive users were being logged in under some circumstances which is not good.

Not too bad, I survived, but I can imagine this would be a bigger roadblock for others less familiar with the framework, so having some easier API in a more visible location would be nice.