Two-factor authorization makes it hard for thieves and owners. Thieves have to acquire the phone/dongle and owners have to keep it. Google's two-factor authentication is popular, works on a phone as sms, voice, or application.
Avoid the application because you don't know how the phone or application manages the secret tokens. It's not possible for normal people to restore those tokens if they get lost after an iPhone upgrade or memory gets scrambled.
Do use two-factor with SMS messages because it's easy to read, no state is kept on your phone, and is attached to your phone number. If you lost the phone, you can port the phone number to another phone very quickly.
You should also print out the backup codes and carry a few in your pocket with a custom cipher applied.