So doing a liitle looking around I cane across some options that look
interesting, the following options would mean you need to physically have
something to login.
yubikey
http://www.yubico.com/products/yubikey/
It would require a pam module and for us to setup a server for managing keys.
it looks to be fairly low cost. it would implement a 2 facter
authentication.
etoken
http://www.aladdin.com/etoken/devices/pro-usb.aspx
it moves the public key from your hard drive to something you physically need
to have
ubikey is max USD$25 where the etoken is probably at least USD$30. I would
think that with yubikey we could work out a deal with them to get a discount
in return for us being a case study/prominent user of there product. all of
the software for yubikey AFAICT is open source. some of it would require
packaging.
Dennis