I mentioned above that conventional Cosign authentication is based on Kerberos: i.e. usernames, and passwords.
However, it also turns out that, since v2, Cosign has had (some) support for multi-factor authentication. The relevant document to read is linked to from Cosign’s home page, and is “Cosign Multi-Factor Specification, 20 March 2006, Draft 6”.
That’s good news: it means that the necessary infrastructural support for ‘two-factor’ authentication is already present in Cosign.