In his DIDW presentation, Conor showed how Cardspace's security characteristics could be enhanced if underpinned by the Intel Identity Capable Platform.
In the demo, a strong authentication token (one stored in a secure region of the client) was issued by the IdP & provisioned into the client - this happening in a session based on a username/password authentication.
So, a strong credential hinged off a weak credential.
Conor acknowledged the perverseness of this - if you issue a credential that purports to give greater assurance than a password, you shouldn't do based solely on a password authenticated session - in practice you would need to supplement the password authentication with extra security, e.g. challenge questions, or something out of band etc.
To use an analogy (certain to spike my readership, even if only till the US political process spits out some other triviality to focus on) you can put lipstick on a pig, but all you'll end up with is a cosmetically enhanced porker.
Similarly, you can plaster on the lipstick of strong authentication like Tammy Faye but, if you are smearing it onto a pig of an identity proofing procesess, you'll still be eating the bacon of low assurance ...
I'm tired of the analogy. And hungry.