If all access is controlled by a firewall couldn't you just block all incoming connections, yet add exceptions for yourself and the IP addresses/range of the SVT? (Obviously adding other exceptions for things like mail servers) Then whatever software authentication and solution you use there is very little chance of somebody compromising it and gaining unauthorised access?
I'm just thinking along the lines of taking the users out of the equation (as much as possible) by adding a hardware firewall layer in place to reinforce the software authentication solution. "Prepare for your users to be much dumber than you could ever anticipate."
