Even in DC, Authentication is a Guess, writes Gunnar Peterson, and goes on to discuss the security problems faced by a minor politician who can't believe it really is the president-elect on the telephone.
Gunnar uses the example to illustrate the importance of separating authorization from authentication. In the normal case, authentication involves "piecing together your guess at the reality of the situation and then binding to the principal".
But risk is not the same as uncertainty, and there are alternative ways of taking risk out of the equation without removing the uncertainty. Sometimes instead of selecting (and binding to) the most likely reality, the best thing for security might be to detect the possibility of impersonation and produce a low-risk response that fits any of the possible realities.
In other words, you might be authorizing a range of possibilities, and then it is not so critical whether you can reliably authenticate a particular individual within that range.
So if you don't know whether the caller is a president or a radio prankster, the best thing to do is not to hang up, not to say something foolish, but to find things to say that fit both possible contexts. And if a caller asks for information about your products, and you suspect it might be a competitor, then you give him a bit of information (in case it is a real customer) but not too much.
This is similar to my earlier points about responding to uncertainty in complex event processing.