The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would – the user is never logged in with 2 or more identities.
This is a wrong assumption. In fact the ClaimsPrincipal in context will always have more than 1 identity if your application requires n factor authentication (n > 1).
Try looking at it this way.
Principal = User
Identity = Driver’s License, Passport, Credit Card, Google Account, Facebook Account, RSA SecurID, Finger print, Facial recognition, etc.
If you’re pulled over by the police, they don’t verify you’re who you claim to be, based on your driver’s license alone. They also need to see your face. Otherwise you could show anyones driver’s license.
Hence it makes sense, why authentication can and sometimes should be based on multiple identities. That’s why 1 ClaimsPrincipal can have any number of ClaimsIdentity.