Any recommendations on getting some type of double authentication for webaccess?

We were thinking some type of private/public key that would only allow you to access webaccess if you have the private key (and its password).

Ideas?