Authentication is the process of making sure that the person who is requesting a web service is really the person that they claim to be. This is done by requiring the user to provide a set of credentials. In return, they will receive a security token that can be used to access the server. The credentials usually take the form of a user id and password. On the other hand, the security token that is returned is usually more conceptual than physical. It can take the form of a cookie placed on their browser, a session id stored on the server or an actual string of characters. Architects and developers responsible for Web service security have a considerable number of options available. These options are further complicated by the fact that different projects and different organizations have different security requirements. This paper proposes a scheme for taking these requirements into consideration when proposing secure web service access methods.