What’s the Next Line of Defense?
I think it's clear that the next step should be the implementation of some form of two-factor authentication. While there are many ways to accomplish this, the cheapest and most cost effective way is to distribute tokens such as the RSA SecurID. This is one of the better-known solutions and may not be cost effective for small operations. However, Paypal recently implemented a similar solution (Paypal Security Key) that they are providing to customers for a one-time fee of $5 USD.
There are other methods and products as well, but businesses and government alike should begin evaluating their options. The threat is growing every day, and soon a password alone will not provide sufficient protection.