You still haven't done what Peter Fairbrother quite rightly suggested: Write down exactly what you want you system to allow and disallow, and other details like how large (roughly - factor of 10) how many players (services needing authentication, people) are involved. Without that, you're just tossing around random crypto-related words. -- Jerry