I use the Google Authenticator (which is a part of the EPEL library for RedHat) to log onto my own remote machines. Same with Gmail and Amazon's AWS.
For PayPal and eBay, I have both SMS authentication, and a keyfob. That way, if I lose my phone, I'm not utterly hosed.
For a couple games, I use a phone app.
For my virtualization host, I use IP address protection, where it will send E-mail to my gmail account (protected by two factor authentication) if I try to log on from a new IP range.
None of this is 100%, but it means an attacker has to do more than just yank a password out of RAM.
One nice thing about Android is that the apps that give the validation codes can be easily backed up encrypted using Titanium Backup, and stored on a cloud provider. That way, if the phone gets lost, I can get another Android phone, restore the data, and be back in business.
