Certificate file. Generated on registration and handed over as a download and shredded server-side. Not as trust-fulfilling as a user supplying one, but less of a learning curve. (Still need validation on it either way, which can be painful).
Which, of course, means "forgot my password" doesn't work.
Which, of course, means "forgot my password" doesn't work.