I know this is over a year old, but I wanted to leave this here if you or some other future Googler finds it useful.
Someone recently-ish gained access to my saved passwords in Google and was thus able to access my DigitalOcean account, reset my root password, and login via the console.
As a result I decided to implement this: https://github.com/shitchell/response-test
It detects if the login session is coming from a physical TTY (which the online console appears to be), and if so, presents a customizable challenge phrase/response (glorified second password). If they get it wrong, they’re dropped into a pseudo shell that mimics /bin/sh but with broken commands so that it appears not that they’ve been locked out, but that the system is just horribly broken.