I'll keep this one on the radar and mark it for 27.

Is the data in the fields actually used? Can we just ignore it from the representation when reading it instead using JSON Ignore?

I'm not sure how much it is used by people but if you look at most of places where we are using it today, I don't see any argument for keeping it:

• Adds noise to user representations. What does it mean setting otp to a user is it necessary to import/create/update users with OTP?
• It is very specific to OTP and does not cover other credential types
• It has been deprecated for several years

IMO, we should just remove it. Even if it is a breaking change and forces people to manually update their representations. Hopefully, we will have some versioning in the feature that allows us to push people towards using a new version rather than breaking things. But one day people will need to update, regardless ....

Can you think of a softer migration path?

As you suggested, I thought about ignoring unknown fields (not really keeping the field/getters/setters there). But we do validate the representation today, and I guess we want to continue doing so.