[eluser]WanWizard[/eluser]
As it so happens, I have certification in the auditor arena, and have as one of my projects the security of an access control management and IDM system for a central government.
Related to this subject, it is important to have an audit trail of which user did what, an audit trail of every action related to user and rights management, and proof that you have a secure login system.
It doesn't say anywhere that an account can't be logged in twice at any given moment.
My point is that if you fear mis-use of the account (which is @sojic' statement), you fail to prove that you have a secure login system. If this is absolutely paramount for your application, you need to use strong authentication, and a lot more security measures at the backend, so that for example it can be proven that file and database data is secure. Also, you need to protect your audit logs from tampering, so you need to write them to an other system, in a signed log. And I would like to have the application checked by a specialized company for security issues at the application layer. And a re-check whenever the code changes.
Proving that you're secure isn't easy, and isn't cheap.