diff --git a/src/TfaUserAuth.php b/src/TfaUserAuth.php
index 2b265ac..50dcd7a 100644
--- a/src/TfaUserAuth.php
+++ b/src/TfaUserAuth.php
@@ -10,7 +10,9 @@ use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Entity\EntityTypeManagerInterface;
 use Drupal\tfa\Plugin\TfaValidationInterface;
 use Drupal\user\UserAuthInterface;
+use Drupal\user\UserAuthenticationInterface;
 use Drupal\user\UserDataInterface;
+use Drupal\user\UserInterface;
 
 /**
  * Tfa User Auth service decorator.
@@ -19,7 +21,7 @@ use Drupal\user\UserDataInterface;
  *   This class is publicly called as a decorator for the 'user.auth'
  *   service. The internal operations are subject to change at any time.
  */
-final class TfaUserAuth implements UserAuthInterface {
+final class TfaUserAuth implements UserAuthInterface, UserAuthenticationInterface  {
 
   /**
    * Constructs a TfaUserAuth object.
@@ -48,10 +50,9 @@ final class TfaUserAuth implements UserAuthInterface {
       return $this->innerAuthenticate($username, $password);
     }
 
-    /** @var \Drupal\user\UserInterface[] $account_search */
-    $account_search = $this->entityTypeManager->getStorage('user')->loadByProperties(['name' => $username]);
-
-    if ($account = reset($account_search)) {
+    /** @var \Drupal\user\UserInterface $account */
+    $account = $this->lookupAccount($username);
+    if ($account) {
       $login_context = $this->tfaLoginContextFactory->createContextFromUser($account);
 
       // Is TFA bypass requested, usually for TfaLoginForm which validates.
@@ -181,6 +182,43 @@ final class TfaUserAuth implements UserAuthInterface {
     return FALSE;
   }
 
+  /**
+   * Validates user authentication credentials.
+   *
+   * @param string $identifier
+   *   The user identifier to authenticate. Usually the username.
+   *
+   * @return Drupal\User\UserInterface|false
+   *   The user account on success, or FALSE on failure to authenticate.
+   */
+  public function lookupAccount($identifier): UserInterface|FALSE {
+    /** @var \Drupal\user\UserInterface[] $account_search */
+    $account_search = $this->entityTypeManager->getStorage('user')->loadByProperties(['name' => $identifier]);
+
+    if ($account = reset($account_search)) {
+      return $account;
+    }
+    return FALSE;
+  }
+
+  /**
+   * Validates user authentication credentials for an account.
+   *
+   * This can be used where the account has already been located using the login
+   * credentials.
+   *
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The account to authenticate.
+   * @param string $password
+   *   A plain-text password, such as trimmed text from form values.
+   *
+   * @return bool
+   *   TRUE on success, FALSE on failure.
+   */
+  public function authenticateAccount(UserInterface $account, #[\SensitiveParameter] string $password): bool {
+    return (bool) $this->innerAuthenticate($account->get('name')->value, $password);
+  }
+
   /**
    * Wrapper for authenticating against the inner service.
    */
