First of all, physical access is jackpot. Therefore, advanced, high secure methods of authentication aren't very effective because all data is plain text on flash. They're rather necessary on a different layer such as in whole disk encryption (LUKS, TrueCrypt) or keyring (gnome-keyring, keepassx).

Therefore, it makes sense to provide authentication methods in a library so one can authenticate with other services as well. These layers can be disabled or enabled by user request. This could range from SSH access to login on t.m.o. Sounds scary? Perhaps. But if you use a password to access your keepassx database, and this is compromised, your data inside is wide open. Whether you use the SSH key automagically once authed, or have to manually use it, is of no concern.

• One time passwords; allow user to generate OPIE keys in situations high security is necessary.
• MicroSD with key

The following I came up with as well but they're rather easily circumvented however together with another method they're 'fun'. Also, it is important to note a PIN based authentication where user must press buttons to authenticate is not strong either because such can be read by human eye and camera (see skimming of ATM cards).

• Facial recognition on camera; more difficult to mimmick than next 2, but our photos are widely available, 3D printer should do the trick.
• Fingerprint recognition on camera; can be copied with magnesium + sticker (plenty available especially on device), should not be used only or for serious authentication.
• Voice recognition; can be copied by microphone (widely available and used by humans), should not be used only or for serious authentication.
• Blue Proximitry; BT addr can be cloned, rather more interesting to use the N900 for BlueTooth authentication with home computer or laptop.
• RFID; same as BT, and actually easily cloned (see Melanie Rieback's RFID research), but supposedly not widely abused yet.

The user can select several authentication methods, and is able to stack these. For examples:

• Requiring fingerprint AND MicroSD card
• Requiring OPIE OR PIN
• Requiring ONLY fingerprint

Besides BlueProximity, GPS can be used to determine the allowed and/or denied authentication methods. This allows one also, for example, to use different PIN in different situations.

Pseudo-plausible deniability: Something else cool, is that when authentication keeps failing, thing logs in, but its all dummy honeypot... which could provide some kind of plausible deniability when one is forced to log in to their phone.

Sidenote: None of the above covers locking the device again while this is important as well.

References: Linux-PAM modules, BSD_auth, RFC2289 A One Time Password System, RFC1760 The S/KEY One Time Password System.