You can't use a time token, because the system you're trying to authenticate to doesnt have network access to validate the response.
And a USB key still needs a PIN/Password, so you won't solve your forgotten password issue, and you'll add a forgotten token issue to the equation.
Do you have the same problem with Windows passwords? Did you ever try using the EEPC self recovery options? maybe that could reduce calls?