AP is awesome! My only two issues are:
1. Comment RSS is exposed even with AP enabled. This means that users' info is exposed publicly when they comment, even with the site locked down.
2. If a user forgets their password, their only option is to have WP reset it and email them a newly generated "random" password. Most people hate these (better) passwords such as "Rfwe329dkx" and prefer to use something more like "mypuppy83". Right now if a user forgets their password, and AP is enabled, there is absolutely no way for them to reset their password and then actually change it to something that they want it to be, because access to the dashboard is blocked (this is a good thing). But is there any way that a user could be given access to a password update function without sending them to the dashboard? Could the dashboard password change function be brought out to another page as part of AP?