I'm creating a website which will have various pages/functionality/information (PHP & MySQL) which is restricted based on who is viewing it. It is relevant to the employees of my organisation, but they will be based around the world. Security is paramount so I am trying to find ways to ensure unauthorised access is minimised. It will have the following security levels/features:

- User access control. Unregistered users have no access.
- Users are placed into usergroups. Usergroups are assigned permissions based on various pages/actions.
- There will be an Admin usergroup which cannot be edited by non-admins. Some permissions will also be restricted to this usergroup.
- There will be a superadmin who cannot be edited by anyone else regardless of admin status.
- all actions that impact the database are logged with IP, time, user info

Login page

- md5 or sha1 encryption on passwords and combination with 'salt' from user's database entry.
- access is controlled via session hashes.
- 10 failed logins -> blocked for x hours
- failed logins are logged & emailed to predetermined users' email addresses
- all successful logins are also monitored. If the geographical location of the login differs from the previous login on the same account, this is flagged and emailed.

Now the problem I'm having is if someone gets hold of someone else's password, there's not much else that I can do. The security stops there. What I'm looking for is further security steps in front of this.

One idea I have is a daily, random, "global" password in addition to user account passwords. This will be generated everyday (say at 2am) and emailed to "supervisors" who will actually meet or are in regular contact with people likely to use the website/system. That way, even if someone gets hold of someone's password, without knowing that day's global password, they won't be able to get in. This means any potential unauthorised entry will require knowing someone in the organisation who has the global password and is willing to give it over.

I could also check if the same account logs in from different geo locations in the same x hours/day.

Perhaps even more stringent security would be that upon registration of a user, they have to register their access points which binds their account to certain IPs.

Does anyone have any tips on hardening security? I don't mind ideas which are a little inconvenient for the users, because they are employees of an organisation so they don't require so much flexibility in access.