This is a pretty interesting issue - from what I’ve read about them, a cryptographic smart card (as opposed to a memory smart card) is really a little computer that digitally signs authentication requests sent over the wire. That way, your secret key is never exposed outside of the smart card (not even to the computer the smart card terminal is connected to).
There are some standards - notably the Javacard API and PC/SC. Also, some browsers - Mozilla and IE I think - natively support Smart Card functionality so you cna use the Smart Card like a client certificate in a browser. But I don’t see how it would be simple to implement SC functionality in non-browser environments like EI or other developer tools that don’t support Smart Cards directly.
A (more expensive) alternative is using RSA SecurID tokens - these are little matchbox-size boxes that display new passwords every 60 seconds. The login/password request must be validated by a central RSA server which each of these SecurID tokens is synchoronized to. This way, you use constantly-changing username/password pairs – works fine as long as the broker or IS can query the RSA external server for authentication.
Do let us know what you come up with.