Have you discussed your approach with anybody who actually knows what they're doing? Because you really should, and if you have control over anything worth worrying about you should do it immediately.
Not so long ago I met with our physical penetration contractor. Unlike you and me they spend a lot of time trying to use the Internet without being properly "authorized". They do all the expected things, they have the clothes and the gear, the patter and the looks. Do you know how many times they've been stopped in their tracks by network security? Never. Not once. Once in a while an employee won't hold open the door for the pretty young woman with her hands full. Every so often the front desk wants the guy with a high visibility jacket and a toolbox to present a work order signed by the right person. Sometimes rather than call the number from the official looking papers the security guard uses the phone book to get the real number. Some companies actually close the fire doors even though they're a convenient way to go outside for a smoke. But web-based "authentication"? Never a problem.