>
>I agree with Paul. I would find your approach very intrusive. Maybe you could look into something like this:
http://en.wikipedia.org/wiki/SecurID. At my old company we used those for VPN access.
Actually, if a lot of security is really needed, a VPN solution might not be a bad way to do this - install something like OpenVPN (which is free) on the client w/their own private certificate and set-up a machine as the server. Have them open the VPN tunnel before accessing your site - your site wouldn't actually be open to the internet. One it's configured the first time, installation is fairly painless.