The most secure approach I know of can be rather tricky, it involves creating a "PKI" certificate, loading the certificate into each browser that accesses the site.
The PKI is signed with a private key that you have (stored OFF the internet I might add) you also keep a PUBLIC key stored on the web server.
Your website user than imports the PKI file into their web browser, the certificate is verified (was it signed with your key?) and if so, you allow them access to your application.
No password or username is required, as this approach ensures that the person has a key that you signed. (it is still possible the PKI file is "stolen" but the same can be said of passwords)
You can give each person a unique PKI file, with a CN field set so that you can later revoke it. (or just have the application refuse access to it)
Only web browsers that have had the PKI files imported are allowed to login.
For more information, do a search on ask.com (or other search engine) for "PKI"
(I should mention, my product "GenieGate" does not use PKI based authentication, as it is a rather special case approach.)