Aladdin e-Token Java in smart card form factor.
Requires installation of client drivers (eToken PKI Client).
Requires a smart card reader (in the USB token form factor it is more convenient to work (if there is no built-in reader, for example, on a laptop), but there are fewer connections, after which either the socket or connector will loosen).
Supports RSA keys in non-retrievable form, i.e. all crypto processing goes inside the chip.
On the server side - accordingly, any software that "understands" client SSL certificates with RSA keys (in my opinion, there is one for any platform, Microsoft IIS was in our project)
The client software is already quite well debugged.
In general, I recommend. By no means an advertisement. RuToken
_there should also be a similar product - they have completely identical lines with Aladdin, but I did not hold it in my hands. At the exhibition recently, by the way, they talked a lot about the interface plug-in for all web browsers - you can look in this direction.

Smartphone with an application (better start with Android).
Generation of a private key in a smartphone using a code (4-6 digits) of a WEB session (QR code or manual entry).
As the server gave "good" to the smart (to display a message that everything is OK) - set a flag on the server that this particular session is authorized and the certificate is confirmed.
AJAX on the web will automatically show that everything is OK and you can work already authorized.
Close the session - you can either from smart or from the web by giving the command "end the session and exit".