User authentication is an important component of information security. It is critical in addressing many concerns that consumers and business have over the risk of identity theft. However, there is no systematic method to measure how good an authentication mechanism is in a given business context. This paper outlines nine criteria businesses can use to assess authentication systems. With these criteria, businesses are better equipped to select authentication systems that meet the needs of both their organization and their customers, and provide better protection against identity theft and other computer crimes.