That code looks pretty solid and I'll throw in a few pointers maybe some food for thought.
One has to realize there is never a system out there that will guarantee 100% security from the client side, because you as the Coder/Developer can only implement so many security measures. Many people if you look at statistics online use the same password for multiple sites varying from social networks, email, forums, online services...etc One of the many ways you can prevent this is forcing your clients to change their password every month or so, and preventing the same passwords from being used. If someone is trying to access your clients information and the theft/criminal knows the individual on a personal level, He can attack other sites which have his information and haven't implemented proper security measures, and the cyber criminal will most likely try it on other sites he knows the victim is using the password on. If you can manage to steal the password from 1 site, you can try that password on several other websites regardless of how secure your code is.
There was a case not too long ago that the CEO of Yahoo refused to use a Passcode on her iphone, and alot of confidential information such as emails with co-workers was on her phone. Yahoo implements a great security system for login, but the security hole could be the CEO. Imagine someone stole her phone.
So think about this carefully if you are worried with security, alot of people believe its the code itself, in most cases its not.
