Certificates are one way. But in a connected world Claims Based Identity/Authourisation makes much more sense as it pushes the management of who can do what into the "source" domain which is controlled by the user or organisation making a claim. See http://en.wikipedia.org/wiki/Claims-based_identity

As an example, I attempt to access this forum and this forum challenges me to supply credentials and a list of things I claim to be able to do (e.g. reply to a post). I reply to the challenge saying that my domain admin has configured me to post replies and supply an identity token issued by my domain server. The http://www.sqlservercentral.com web server responds by making a web request to my domain server which comfirms it issued the security token and the list of claims I'm making.

In the MS world this is handled by WIF built into the web server application, ADFS services being published to the i-net and something like CardSpace (or whatever its called now) on the client device.

Won't solve all the problems but solves many ...