phpass HAVE BEEN CRACKED! What is the solution?

[eluser]Unknown[/eluser]
I know this thread is old, but I just wanted to suggest something that I haven't found here and have your opinion.
The most secure methods are at risk when the hacker is after only one password and not the whole users table. Or, in lack of a target, I'd concentrate in the first records as, odds are, one (or more) of them is the admin.
A rather extreme, but very useful method is what Google and Steam do: two-factor authentication. Basically, after a successful login, send a unique token to the user's email or phone, have him enter it on the site, and remember it for 30 days or so. Is extremely unlikely for an attacker to have access to that unique code, and, if so, probably won't store cookies during the attack, prompting for the token each time.
You can do it as I described, by sending an email, or send it to the users phone using DUO Security API (if you can afford it - http://www.duosecurity.com/ ) or building your own mobile app.
I found this to be a very good security method when used along with a good hashing algorithm + random salt. What do you think?