It depends on what sort of Web application you have. And that boils down in most cases to how much your application directly touches money. In many or most cases, a good old-fashioned password works just fine. Here are some examples:
How do you get the certificate to the user?
How do you handle a user who has a desktop machine and a laptop?
There are many answers to these problems, but you need to solve them. That's an overview of the sort of options you have, with a number of examples. It depends on what you want to do and how you feel about it. I've seen the most sophisticated mechanisms used for business systems, as well as the least sophisticated ones used for similar business systems. In all security analysis, you have to make your own analysis of what you have to protect and how much effort to expend in doing it. Since you are using IIS, you should also be aware that IIS is considered the least secure Web server there is. If you are going to make a high-value system then you should strongly consider one of these options:
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.