- currently uses a password; other mechanisms can be easily added (SecureID)
- the “login object” generates a certificate
- this certificate identifies you in the future
- ideally, one “login object” should be able to give you access to all your MSRC accounts
- a goal of cross-domain Kerberos, but will it be accomplished?