Sir
I worked on a project a few years back that could solve all of these password problems, the thing got built never got put into business unfortunately, and now the company has folded.
Basically it was an outsourced RSA solution with HSM's etc. Anyone could take out a servive and rent the authentication cards, then you just plug in to the network via VPN and run your access software locally (web site or whatever) and it would send off the password to the server farm, which then said yay or nay.
Worked pretty well and removed all of those tedious support issues that you get with hosting your own RSA solution.