As an example of an implementation, my banks calls it "Enhanced Login Security", and it works through an additional trust cookie: You log in as normal with your user id and password. From a trusted browser, the user experiences no difference. But if you log in from a browser without trust cookie ("a computer the bank doesn't recognize"), they mail you a short-lived one-time passkey and redirect you to a page where you enter it to start a session. Once you're in, you can have them set the trust cookie on the current browser -- obviously you wouldn't do that, e.g., at a library. In contrast to the session, which expires after some minutes of inactivity, the trust cookie lasts a year. It is silently renewed at every login.