AutoLogin implementations don't have any configuration that would disable them.
For example RequestHeaderAutoLogin doesn't check any password and authenticate anybody based on LIFERAY_SCREEN_NAME HTTP request header.
Options to fix:
1, @Component(enabled=false) << cannot be used because we have one class implementing both AutoLogin and AuthVerifier
2, @Component(configurationPolicy = ConfigurationPolicy.REQUIRE) ... requires creating @Meta class for each autologin to enabled it
3, introduce "isEnabled()" function that would work similary to #2