You could use a solution based on certificates (PKI infrastructure): you create your own certificates that you send to your customers (each customer gets his own), and check it using a server side logic similar to what's described here: ASP.NET WebForms : Implementing PKI Authentication. It's not an ASMX example, but the Http Module logic is the same.

The advantage is users will not have to enter any password, as their browser should be able to present the certificate if requested by the site.

Of course, users can still copy and send certificates to other users, so you will still need some monitoring mechanism, based on the IP address for example (even if it's not 100% fullproof, it's better than nothing). Once you have detected a certificate seems dead (used by too many persons), you can mark it as non valid on your server for example, and send a new one to the legitimate user.