What a brilliant idea. The only flaw I can see here is if the passcard, (which would need to be stored in a db somewhere) were compromised along with user login information.
Yes, if the site is storing the information insecurely, like MD5, then the user is still hooped.