Maybe a better idea would be allow users to restrict access to their accounts to specific IP addresses.
If someone steals the cookie, then they wouldn't be able to login.
That shouldn't be too hard, just changes to verify_id_num and verify_id_num2 ? (along with an interface of course)
This means those on static IPs can be sure that no one can access their account, except anyone that gets on their machine