We will look into offering two-factor authentication depending on feedback from the userbase.
Well, it seems your user base is speaking pretty loud and clear...
Your dev team will probably find that doing really good 2FA gets pretty complicated, and using third-party key fobs like RSA tokens is quite expensive.
FWIW, I suggested a "poor man's version" of second-channel confirmation in this thread:
http://forum.bitcoin.org/index.php?topic=25982.0This is very easy to implement, and would at least add an extra layer of security while you work on a more robust solution.
Other poasters have pointed to a number of alternatives. For example, for customers with Android smartphones, there are probably a dozen Droid apps that could serve the purpose (and if there isn't, just whisper the idea into the wind, and it'll be in the Market tomorrow). Even text messages sent to an ordinary cell phone might be workable.
You'll want to get *something* in place pretty quickly though, just to show that you're a serious player, and that you are responsive to your users. Thanks for listening!
My only concern is that the user has to be 100% secure at setup time for the crypto-card. Zero-knowledge protocols like Kerberos may be a good way of over coming this limitation. Open source Kerberos implementations are also available readily.