Use a hash of the access log as an additional kind of password. The access log (Computer/Access Time/Access ID) is known to the client and the server. Intruders would need to listen and record the communication from the beginning.

http://www.heise.de/newsticker/Identity-Management-OpenID-mit-openid4java--/meldung/139607