Sounds fair enough. I'm not looking for same security as online banks, but I'm aiming close.
So what I have now is regular username/password login with a one time password sendt to the user on either phone or email. This is also required when making changes to the account eg. changing the password.
I've also looked at integrating YubiKey support (mine is on it's way from the store now) but I'm not sure if there is a security benefit replacing the one time passwords from email/sms with one from the YubiKey other than the danger of someone eavsdroping the email communication.