Hello Simon,
If you are talking about web access to the system then this scenario can be implemented when SAML 2.0 is used. For a web application which provides sensitive data you can either force re-authentication with a password or require specific SAML 2.0 authentication context means authentication method, e.g. PIN. In this case even the user is authenticated with the ABAP system when he navigates to such application he will be redirected to the SAML 2.0 identity provider (IDP) to re-authenticate, either with a password or with a PIN. If you are interested in further details let me know.
Regards,
Dimitar
P.S. SAP provides SAML 2.0 compliant IDP which can easily be extended to support any authentication method using JAAS login modules: http://scn.sap.com/community/netweaver-sso/blog/2013/02/28/competitive-advantages-of-sap-identity-provider. With the next SP of NW SSO we plan to support by default also authentication with time-based one-time passwords (TOTP) - http://tools.ietf.org/html/rfc4226.