Is there any good reason not to simply destroy the HTTP session like:
FacesContext facesContext = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false);
session.invalidate();
instead of just deauthenticating the user and make sure to clean user data from the session scoped beans?
You have to do both. Deauthenticating the user can depend on your implementation. If you call out to a third party system to obtain a security token for a user, chances are you have to call back again to invalidate the token.
You also have to invalidate the HttpSession. Invalidating the session will release all session scoped beans. It also releases JSF view states and component trees for pages visited during the user's session. These can make the session sizeable and not invalidating will leave the heap full of sessions waiting to timeout and that have a negative impact on the server's capacity.
BTW, you can invalidate the session without the need to obtain the HttpSession, like so:
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();