For Windows authentication, could there be an option to query the domain controller as an extra level of security?
The user would need to enter their password so not much advantage over just staying with local accounts, but at least it would be just one password to manage.