I would recommend starting by reading up on the Claims-based Identity model. The current version of WIF (Windows Identity Framework) supports claims based identity.
In a nutshell this model is much more extensible (say Federation) and you don't have to worry about the nitty gritty details of security code. You can start using claims now against your existing AD and then easily move to phase 2 and 3 by just pointing to, or adding, a new identity provider that you 'trust'.