So you want to secure your shop. What do you focus on?
Had a bit of a discussion lately about how /in hospitals/ people leave their peecees logged in, even overnight, so it's dead easy to show up, say you're from IT, and "loan" the box for a bit. With full access to whatnot.
A simple solution to that might be, observing that in large enough hospitals people walk around with access cards anyway, to add a chip that you need to stick into the box before it'll give you a session and lets you log in. RFID probably wouldn't be such a swell idea here because there's no compelling reason to go over the air and every reason not to. Because you need that card with you anyway, perhaps to open doors and such, you'll automatically take that card with you when you leave or come and fetch it quick-like if you forget it--or you put it on a ski pass thingy.
Sun touted a thin client system (ray 100s, nice flatscreens, a big enterprise to run all that), that did exactly that and since the session wasn't tied to a terminal but to that card, the session traveled with you. This seems a useful property in a hospital, too.
This won't work for everybody, but for this particular workflow it would probably work well, and better than fingerprints or other biometrics.
Biometrics, as mentioned earlier by the by, have this property where replacement of the credential is far more expensive than faking it; simple fingerprint scanners can be fooled with gummy bears, but even much harder to fake other biometrics are still more expensive to replace in case of compromise than to fake. That's nice for criminal detection where the scrutiny will be intense and faking might be detected, not so nice for casual identity, where nobody pays much attention at all until after the horse has bolted.
You can require "multiple factors" but unless you can explain exactly why that helps in your case, you haven't really thought about your process. And that's the rub: It's your workflow more than anything that puts hard restraints on how you can improve your security before people will resort to sticky notes and thereby completely devastate your security efforts.
A keyfob might be nice, but a list of OTP passwords would do just as well. You'd use that for, say, external access from untrusted machines, but then do you really want untrusted machines on your network? That probably requires a separate "access only" VPN lan, not a full joining into the internal network. Biometrics are the latest cool thing but should you still choose to trust that stuff and never cut your own fingers, you'd still need a reader which isn't universally available. Personally I like ssh keys on an at least moderately trusted box with big passwords to taste, and an agent to reduce the need to type those passwords. But then I know not to walk away from my box without securing the session--preferrably through a hotkey or other. But that again won't work for everybody.
So, if it's your job to secure something, it's your job to spend some serious thinking on just what it is you want to achieve with that securing. If you stick to defaults like extra double strong passwords, expensive keyfobs, biometrics, and so on, without thinking much about it, you're not doing your job and any breach really is due your negligence.
Sometimes security really comes down to exceedingly simple things like "the armed sentries let you through" or "have the key to the servers". And sometimes that's precisely enough. Deciding what is necessary and sufficient is what's important, everything else is just that more tools to get the job done.
In short, getting people to apply basic security is very much a people problem. And people problems, technology can perhaps help with, but never solve.