None:
Pretty straightforward – use this when you don’t want to identify or authenticate your users.

Basic and Digest:
These authentication types aren’t used much any more, but occasionally you might need to connect to an older web service hosted in IIS, which might be configured to use Basic or Digest authentication. Traffic won’t be encrypted. For Basic, the password will be sent in plain text, and for Digest the password will be sent in a poorly encrypted form. Avoid using these authentication types.

NTLM and Windows:
NTLM uses the NT LAN Manager to control security. Windows, by default, will use Kerberos (ie Active Directory) to control security. If Kerberos is not available, it will default to NTLM. Only use NTLM if you specifically need to avoid Kerberos (I cannot think of a scenario where you would want to do this, but part of WCFs greatness is its flexibility).

Certificate:
If your users have their own certificates which can be used to identify them, you might consider using this authentication mode. Passwords can be guessed – it is very hard to guess a certificate, so this is a pretty secure mode of authentication (provided the certificate itself is secure).

Password:
Use Password when you want to create your own method of validating a users username and password. This might involve accessing an existing user credential store in a custom database. You will need to write your own UserNamePasswordValidator – example at http://nayyeri.net/custom-username-and-password-authentication-in-wcf-3-5.

To summarize, I usually choose Windows as the authentication mode. It is secure and simple and works for most people in an enterprise environment. If you’re creating a new service and for some reason Windows cannot be used, go for Certificate or Password. If you’re hooking into an older SOAP service hosted in IIS, you may need to look at using None, Basic or Digest.