Further to the curse just discussed, Mark Wahl points us to last year's NIST Knowledge-based Authentication Symposium web site. Several presentations take on the issues of authenticating to an infrequently-used service with potentially public information.