Authentication is the process of determining caller identity. There are three aspects to consider:
Identify where authentication is required in your application. It is generally required whenever a trust boundary is crossed. Trust boundaries usually include assemblies, processes, and hosts.
Validate who the caller is. Users typically authenticate themselves with user names and passwords.
Identify the user on subsequent requests. This requires some form of authentication token.
Many Web applications use a password mechanism to authenticate users, where the user supplies a user name and password in an HTML form. The issues and questions to consider here include:
Are user names and passwords sent in plaintext over an insecure channel?