Disclaimer: I didn't write the original implementation of this, Dan Poltawski did.
1: Moodle needs users to have a password. We just provide a string as a fake password. Since the user's auth plugin is set to cosign, they can't use it for normal login. AIUI, even external auth handlers require something. There was a proposal a while ago to change this so that the password belongs to the authentication plugin rather than the user, but I don't think any progress was made on that.
2: User accounts must exist in Moodle for a user to log in. Even those relating to external authentication. We made the cosign plugin create users on login (there's a flag IIRC).
I'm still trying to find out about releasing the plugin