Why not implement something similar to the old fashioned call-back scenario used in the dial-up days?
The user hits a URL and it returns a random string.
The user then must contact a different URL with the random string within x amount of time to gain access for y amount of time.

On my home Win7 servers (web, mail, ftp) I keep things simple and control most things at the router. I filter inbound IP addresses. The port numbers used for access and the forwarded IP varies according to a schedule. My D-Link router holds 24 port-schedule entries. At the server level I use a lengthy pass phrase. At one time I used secure tunnels, RSA SecurID, etc. Over the past few years I've simplified things by eliminating Windows domains, mirrored servers, TPM devices, etc. I bought the consumer grade D-Link DIR-855 because of its extensive ACL capabilities.