You can also require users to be authenticated (through SSO or other mechanism) before they log in, which could defeat some impersonation attempts.