The other option is to use Client Certs. Since the application will be accessed only by few users, you can generate client certs for each and have them use it as their authentication credentials. This method provides a good level of security.
If you want a higher level of security, you can opt for Two Factor Authentication such as Secure ID. Two factor means: Something what you have and something what you know. A Secure ID (something what you have) is a hardware token, which generates random series of numbers and is used as a passcode or pin. Something what you know - is your Username/ID or Account number which is mapped to the hardware token. Combination of both these factors authenticates a user.
This was first published in November 2003