I've been thinking how you'd do this as a generic application for web apps. A daemon somewhere on the web that resets your password once a day for all the web apps you use to "original password+unique daily code". Then you log in with that code from your phone and your original password.
Very interesting, I assumed someone would be working on something like this. I guess it's a big market, if you can convince bigcos to trust the phone to be secure.
But then you need to have the original password in cleartext somewhere, so I would say that is not the way you do it. I think the way this is more likely to be done is by generating a random token that is broken up into pieces using XOR magic. Each factor in the auth process gives you access to one piece of that token. You combine those pieces back together using more XOR magic and, if your token matches the original token, you can proceed.
http://en.wikipedia.org/wiki/SecurID
I've been thinking how you'd do this as a generic application for web apps. A daemon somewhere on the web that resets your password once a day for all the web apps you use to "original password+unique daily code". Then you log in with that code from your phone and your original password.