I debugged in the SlingAuthenticator recently and noticed that all sling.auth.requirements configured for the SlingAuthenticator are internally registered twice. This is because they get registered once explicitly from the configuration and then again via the ServiceListener that evaluates the sling.auth.requirements from any service.
I think this causes no harm except for a very minor performance overhead when scanning throug all authentication requirements.
Note: the effect can also be observed in the web console, where entries configured on the SlingAuthenticator are listed twice.
cc cziegeler as you have been working on auth core recently. Looking at the latest code, I believe this issue survived your refactoring.