When you have to be absolutely positive that the person logging into your secured web site is who they claim to be, you need to consider contacting your certificate authority and asking them to implement a security protocol that includes PKI authentication in order for anyone to log into your site. The reason for this lies along the lines of it being very easy to steal a username / password combination and gain access, but Public Key Infrastructure security is virtually impossible to hack.
PKI Requires More Than a Single Form of Identification
The reason that PKI is s secure is that it requires not only information that is already know such as a username / password combination, it also requires something that only the authorized person is going to have. This can include a secured number from an RSA token or an OTP token. The only person who will have access to all of the information required would be the person who is authorized entry, anyone else would simply be denied access.