This paper proposes a secure two-factor authentication (TFA) system that relies on a password and a crypto-capable device. In cases like a compromise of communication lines, server or device vulnerabilities, and offline and online attacks on user passwords, the approach provides the highest feasible security bounds given the collection of compromised components. Using either SAS Message Authentication or any PIN-based Authentication, the suggested approach constructs a TFA scheme. The paper also proposes a secure software architecture for implementing an enhanced public key cryptography system for mobile applications and an efficient implementation of this modular structure that can use any password-based client-server authentication method without relying on risky single- layer password authentication architecture.