Another thing to consider in the medium-long term would be MFA support, preferably with some different options to be able to implement it by user (with user able to toggle), or group (or be able to make it mandatory at the server level).
In my case all of our servers are closed and managed (so users cannot create their own accounts), but it'd be nice to be able to have either a built-in code generator for a user to sign in, or attach an existing open one such as Google Auth or similar. Every one of our users has their own smartphone, so I'd either help them set up native MFA, or attach a 3rd party one. Of course, admins would still need to bypass MFA if needed when accessing a user's account, the easiest of which would probably be just temporarily disabling that user's MFA via the management GUI, and/or using the built-in Skeleton account. On that same note, it'd be easier/better for the admin skeleton account to have its OWN MFA so it can just be used like you can currently to override a login AND itself have better security.