Kaseya implements many industry standard security methods to protect against replay / man in the middle attacks, but what happens if someone knows my username and password?
Username and password authentication is the industry standard. It is a type of single-factor authentication - 1 part identifies you, 1 part confirms that identity. The problem is that if someone knows those same 2 pieces of static information, then there is nothing stopping them masquerading as you.
A possible solution to this is to introduce a 2nd factor, something that is unique to you - a handprint, fingerprint, optical scan, etc. A common second factor is an RSA SecurID key. These can be costly and hard to implement. Kaseya itself does not support such authentication methods, however these are implemented at the web server or OS level.
Kaseya runs on IIS, so any additional authentication would be done on IIS rather than within the kaseya web pages. There is much information on the internet about installing such systems.
Sometimes a simpler solution is enough - if you expect your kaseya admins to be working from a particular office or location, you can use your firewall to block access to connections that are not coming from a known location. Denying access to port 80 (or whichever port IIS is listening on) adds more protection. Even if someone knew a valid username and password, they woud also have to be at a particular location to reach the web interface.