What security mechanisms might you employ for a login system beyond a username and rigorous password guidelines? I'm programming a billing/invoice system with PHP and MySQL, and I want to ensure that only the people responsible for the bill are the ones logging into it. What do banking sites do to ensure security?