Paul Madsen makes an interesting analogy about basement drains and level of assurance in authentication. Living in Tampa I can’t relate to basements (living a few above an aquifer makes basements highly impractical). I do like the analogy, but I would like to point out a few areas where I disagree with Paul.
Paul also compares password based authn to Self-Issued Card authn and finds that Self-Issued Card authn gives a higher level of assurance. This might be true when you like at them in isolation, but isn’t true in terms of how the cards would be used over the entire lifecycle of the user. Since Self-Issued Cards are tied to a specific machine, sites would likely use password authn as an alternative so that users can self-enroll cards on different machines. Thus Self-Issued Card authn is no better than password authn in practice.
One could make the point (and I often do) that Self-Issued Card authn has a lower level of assurance because it only authenticates the machine, not the user sitting at the keyboard. This is much more vulnerable in cubicle environments and in homes with shared computers. The problem is further compounded by the lack of an authentication context in the SAML 1.1 assertions that are typically used as the token in Cardspace and other Information Card implementations. For instance there is no way for the RP to know the Cardspace ID Selector has been configured for PIN protection on that particular Self-Issued card.