The Dynamic Authentifiers define which DialogUser is to be used effectively for which person. However, the DialogUser defined there may not be used for a direct login.
At present, there is no elegant way to reliably prevent a direct login. It is therefore suggested to create a flag "IsDisabledForDirectLogin" at the DialogUser.
An enhancement request (#34824) has been created.
You could set a password in DialogUser.Password that is not a hash value and therefore invalid in any case (as also delivered with the "sa") or you could set "IsLockedOut" in DialogUser.
However, both measures are only possible via SQL.
The product team will evaluate the request and this feature may become available in a future release of the product.