I tried to find a few FI’s that I could point you to that had OTP listed as a two factor method, but I just turned up a bunch of old white papers.  I did find mention of FI’s in Germany that used paper for the OTP and various ones using SMS.

The setup should be fairly simple;

• Create a system to create random sets of 8 ( or more ) character pads, they should be random but careful to make it easy for users to separate 0 and O.  Maybe only upper and lower case with no numbers?
• These should not be guessable or form any sort of pattern, so maybe use a hashing function. Just don’t hash 1, 2, 3, 4.
• When creating the pad one copy is associated with the user and stored as part of the authentication system and the other is handed off.
• The system should know when a user is nearing the end of the current pad and prompt for the creation of the next.

1) Use a security key fob

Pros

- Adds that something you have element to the authentication system.

- Unless the FOB is stolen unauthorized access to the account should be fairly difficult. ( This has happened before with RSA and some defence contrators. )

- Cheaper then theft.

Cons

- These items can be pricey.

- They can get lost and increase the cost of owner ship.

- End users may find these complex.

2) SMS or smart phone app

Pros

- Something you have.

- fairly inexpensive.

- If the device is lost the destination number could be updated in person.

Cons

- Not everyone has a smart phone or cell.

- There could be costs encouraged by the user to receive the sms messages.

3) One Time Pad ( OTP )

Pros

- Cheap, real cheap.

- Something you have.

- Could be created in house.

- Very simple and easily managed by a end user.  Compared to other solutions it’s not very complex.

Cons

- Can be created in house, you want to make sure this is done correctly.

- Users still may find this complex.

There is some institutions already doing these things, I can hardly claim them as my own.  Also I am sure I have left some off the list.