I've done something similar, but with SMS authentication. The process I used was:
To make this work, you need to store your normal user roles in a different relation than System.UserRoles, because you will be setting the UserRoles association to a specific user role for authentication.
Furthermore, this doesn't really add security: one or two passwords doesn't really add anything security wise. To improve security, you should add a random token (e.g. SMS code or Google authentication code).