Plenty of simple-to-implement two-(or-more-)factor authentication schemes already exist. It's not like we need to reinvent the wheel. Also, as for root access over ssh, I don't know of any current implementation of sshd that doesn't have a simple way to prevent remote root login. In some, you need to explicitly allow it. Eric