Authentication method and authentication string are not among the criteria for matching connections in the connection pool. If they contain information that further qualifies the authentication information, then incorrect matches can occur.
One such case is in an application server scenario: if the username and password are identical but the authentication mechanisms differ, one user can get another's connection, although this is very unlikely to happen.