2-Step verification is now available for Google Apps (free) edition. When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account. A mobile phone is the main requirement to use the second form of identification. It doesn’t require any special tokens or devices. After entering a password, a verification code is sent to the user’s mobile phone via SMS, voice calls, or generated on an application they can install on their Android, BlackBerry or iPhone device.
This makes it much more likely that it is the user accessing the data: even if someone has stolen the password, they’ll need more than that to access the account. Users can also indicate when they’re using a computer they trust and don’t want to be asked for a verification code from that machine in the future.