In this case, you need to use a number of parameters for maximum protection, to choose from or all at once:
- ip address
- screen resolution
- browser ID
- SMS code
- when you log in from another user with the same login / password, close other other sessions of this account

Consider authorization through client certificates.

It will log in as a super-duperadmin, which will have a secret button that will write incomprehensible abracadabra in localStorage. Next, log in as a super-supercustomer along with abracadabra - if abracadabra came to the server along with a login-password - OK, otherwise - "oh, something went wrong."
It's easy to implement - make a hidden input in the form, where, when loading the authorization form with a script, write localStorage.getItem ('supersecretabrakadabra') - if it is not in the storage on this computer, then it will not reach the server.
The only disadvantage of this solution is the need to log in as an administrator. But the idea can develop further - for example, on the server, add the "bound" field to the user database, if the field is clear, then at the first login of the customer, abracadabra is also written in localStorage and transferred to the server, the server writes it to the "bound" field and all subsequent attempts to log in break off if the abracadabra does not match. Well, I don’t think it’s worth talking about the fact that abracadabra should be generated each time uniquely.
Further more. The customer can be provided with two buttons - "bind" and "unbind", the first will ask the server to bind to a new abracadabra, the second - to clear the "bound" field, respectively, allow login from another device. Of course, the "unbind" button should be present only in the case of an already existing binding. Then the server admin will have to be pulled to manually clear the "bound" field only in case of exceptional situations, for example, the death of a screw on a bound machine