It got me thinking about Federation and trying to extend a different model of authentication and access to different users, different machines, different physical access levels, different logical (network) access for a single user type in multiple environs.
One thought I had was that interchangeability of factors lets me set up zero stringent to very stringent access control policies for virtaully any environ. The POA (Point of Authentication) is the gatekeeper, the devices in the network are the cops/enforcers, and whether you are a user or machine what the gatekeeper knows and shares with the cop governs where you go and what you do. There is also the O factor (Omnipotent) of full auditability so if the gatekeeper is at lunch and cop forgets TCP/IP for a second, that everything is still logged in the event things get really interesting.
Business case examples:
I work for the FBI. I spend time at NSA, CIA, DEA, and State Police. We all use multiple databases that share subsets of information and disinformation. I have two 'badges'. One is my badge that I wear on my beltloop with a lanyard attached that has some/all pertinent information about who I am and my clearance level. In essence where I can go in the pysical world.
Then I have a laptop or pda with a biometric scanner that can embed the biometric data, User ID/Password data, and a unique machine ID for my network access where ever I am.
That's a lot of factors, and gives me a lot of flexibility about how I manage who gets access to what, while keeping key data sets separate (somewhat) by using card and machine.