WCF Security strategy to prevent sharing of username/passwords

I want to design a WCF service for my client that can be called via the internet from my client's business partner. What WCF security strategy should I apply so as to prevent the scenario in which the business partner gives his username/password for the service to a competitor of my client, allowing the competi开发者_开发技巧tor to call the service such that the service thinks it is the business partner calling. I.o.w. is there a way in WCF security to verify that the caller of the service is indeed the business partner and not a 3rd party using the business partner's username/password? Any advice would be much appreciated.

That is usually handled by agreements among partners. Your partner must sign NDA with $$$ sanctions for providing your confidential information to other party.

People are responsible for securing credentials. You can never secure your service enough to avoid any disclosure of credentials. Even client certificate can be installed on another machine.

The ways to make this harder go beyond WCF - access lists for IP addresses, VPN tunnels, etc.

You can mitigate it by using mutual certificate authentication using a SSL client cert to identify the client. However this is not enough as a rogue client can export the cert and give to a competitor. The only other way I can think of if you know your client's IP address you can restrict connection request from only those IP addresses using firewall rules.