Hardware token to authenticate web application
I would then suggest Yubikey ( http://www.yubico.com ). Yubikey is a OTP hardware token that does pretend to be a keyboard (Thus requiring NO extra software installation), and then sends a 128 bit encrypted secret to the server. The tokens are fully programmable by the administrator, and its possible to use the token in a variety of ways. You could either use the tokens password-less, eg use the tokens as a one-factor "What you have" authentication.
But you can aswell have the user type a password prior to pressing the button on the token.
Its also possible to configure the token to either use a public identity and then a unique AES key per user, OR you could use a secret identity and then iterate through all AES keys and decrypt (eg, if you have 10 users then you iterate through the 10 different AES keys stored on server) but the process can be CPU consuming, OR you could have the same AES key for all users.
If you select any on the first alternatives, you could use any of the Yubico tokens. If you go for the last alternative, I would suggest Yubikey NEO, which does have a tamper-resistant cryptographic Smart card Chip, which makes it impossible for a rogue user, to tamper with the yubikey to extract the AES key (that would make it possible for this rogue user to identify itself as a Another user).
The advantage of using a secret identity is that if someone finds the yubikey, they wont be able to find out who it belongs to. Another advantage of the NEO is that is has NFC support, and can generate the signals that a "NFC URL sticker" does, but appending a OTP to the end, like "http://www.example.com/login.php?otp=ifhgieififhgieififhgieififhgieif" so the user can use his Yubikey to login via a NFC-compatible mobile phone.
The CryptoStick uses the Web Cryptography API to expose a keys to the browser. Its likely that the proposed USB security token product product would use a similar technique. CryptoStick is open source, so it is easy for 3rd parties to verify it's security.
The 2-factor authentication that I use regularly is Google Authenticator, which makes it very easy for web applications to support two-factor auth. It seems like more and more services are supporting Google Authenticator, LastPass and Amazon AWS are good examples.