A way to do this properly and securely would be to have the ability to generate application-specific passwords, like you can with Google Accounts. That way, you can have two-factor auth for humans, and still use the API for data access.
... View more