Using IM seems to be a good way to do authentication.

For Glancing, the client makes a www request to the server and says its buddyname and the secret held in common by the group.

The server validates this and sends a session key back to the client -- but via IM. This tests the IM returnpath, and means there's a thing which you can only log on at one location, that someone has signed up for etc (basically, it has presence) intrinsically bound up in the authentication.