Before I go off and re-invent, does OpenACS have an implementation of per-browser trust? Apparently U.S. regulations will require banks to make it mandatory at some point in 2007.
As an example of an implementation, my banks calls it "Enhanced Login Security", and it works through an additional trust cookie: You log in as normal with your user id and password. From a trusted browser, the user experiences no difference. But if you log in from a browser without trust cookie ("a computer the bank doesn't recognize"), they mail you a short-lived one-time passkey and redirect you to a page where you enter it to start a session. Once you're in, you can have them set the trust cookie on the current browser -- obviously you wouldn't do that, e.g., at a library. In contrast to the session, which expires after some minutes of inactivity, the trust cookie lasts a year. It is silently renewed at every login.