This is in reference to "http://www.kashflow.com/developers/rest-api/sessiontoken/"
Authentication using username / password does not make sense when HTTPS and API tokens exist and are reliable. The suggestion that the system pass plain text passwords and use character positions in the users memorable implies storage of the memorable word in plain text which would be odd to say the least!
I understand dealing with this is still to be sorted which is a shame as I would think its a relatively small effort - though very important. If that were done I would hope the warnings on the "shiny new API" could turn from "You should not be using it in a production environment" to "Be aware it can change, use at your own risk" then early adopters would be happier to go in and help test it.
There is a project currently running with our platform team who are looking at our authentication methods within the REST API. We should hopefully have an update for you on this in the near future.