Thanks @jwilander. I am sorely tempted to just set everyone's AuthService / AuthData in the database since it worked fine in the experiment and we didn't see any issues... so surely in this instance we can just manually make the exact same change that the System Console would do anyway if it supported this?
The alternatives (continue to allow email sign on, or blow away our current instance with all history) are not very appealing.