I attended an interesting talk in the last week that was based on a paper from MSR. It was interesting to hear that in this day where federated logins where you use your facebook, google or live credentials to login to some 3rd party site is very convenient but a lot of these 3rd party sites are not validating the security tokens correctly so they're open to attacks. Definitly worth a read if you're planning on using somebody else to authenticate your users on your web site.