If you know a concrete requirement, just write it down. Either as a backlog item in chapter 4 or as a quality requirement in chapter 6. It is useless to argue whether “The user shall log in with name and password “ is a function or already a proposed solution for the more general security requirement “The user shall identify him-/herself appropriately in the system “. The latter leaves more degrees of freedom for the development team to decide the type of identification, the former takes those degrees of freedom away from the development team.