You could do this pretty easily;
1. User enters credentials
2. Program generates a unique key
3. Program encrypts User Cred + Unique Key using whatever decrypt-able method
4. Program sends encrypted data to server-side via POST
5. Server gets data, decrypts with predefines/predictable salt
6. Server enters Unique Key into database, code associated with User Creds
7a(if fail) If user has more then 2 associated with user, send failure as server response
7b(if success). Encrypt unlock code with decrypt-able method
8. Send the new code as the server response
9. Program receives code, unencrypted
10. Program checks validity, then saves key in safe method
11. Program is now unlocked, all automated.
Required basic/moderate knowledge of PHP and a database(SQL, probably MySQL), and would work safely, and PHP runs on call with an apache2 request, so its not really "always running", besides the apache2 listen service.
Alternatively, if you can find a way to use SSL (correctly), you wouldn't need to encrypt sent data on client end, making the whole thing just a bit simpler.
I'm actually working on a cURL extension for doing things like this, without needing complex client/server side encryption, I got annoyed with the GET objects lack of HTTPS/SSL support.
