We've got a client-facing site that has tonnes of logins and need ideas for a way to log in to each customer's account. It's all written in-house so a custom implementation is fine.
Previously a skeleton password was being used but if that got leaked somehow it'd allow anyone access to all of out clients' accounts. A one-time pass for two-factor authentication is impractical because we need prompt access to their account but having a unique ID per admin account would be beneficial.
A local instance is also unlikely because we have users that require access that have knowledge of the system but little knowledge of how to set up a local environment. Also, all info is stored on DBs that are not externally accessible. So, logging in to the web portal is the preferred method.
I'd also like to avoid relying on an IP address as we publicise our main office IP so I think that could be spoofed too easily.
Any other ideas?
Is there something similar to an SSH key that could be used for web-based authentication?