You can specify more than one pair of groups because you may not want all users to be treated the same.  For example, you may have a resource that needs to be accessed by 2-factor authenticated domain admins, but still block 2-factor authenticated users of other types. Having multiple group pairs allows you to define your own classes of users and apply different permissions to them, as a natural extension of how Microsoft authorization ACLs work.

AuthLite's use of group pairs to do session tagging is extremely powerful, but a little subtle to consider initially. The bottom line is that the users' effective group membership will switch around deterministically depending on how they authenticated, and you can use this knowledge to restrict access to your AD systems and resources.

Please refer to this tutorial video series for an illustrated discussion of these important topics.