As web applications have become a necessity of contemporary societies, there is an increasing need to secure access to these applications. This talk explains how web applications can add the "what-you-have" factor to strengthen user authentication and enhance the security, without compromising the ease of use generally associated with the traditional username/password method. In particular, we will describe smart card based authentication methods, including OTP, TLS mutual authentication, and X.509 certificate-based challenge/response. Although these methods have their strengths and weaknesses in terms ofsecurity and usability, they all significantly enhance the authentication for web applications.