I can certainly understand the need for access control & security,
but with the use of a smart-card one-time password system, this is
a moot point.
Huh? How are you going to stop a system from "illegally"
(in the sense of the provider, contracts, or whatever)
acting as -say- www, ftp, or whatever server with such
a one-time password system? You'll need access control
*based on IP addresses* to reach that goal!
Piet