In order for something on a USB stick to "provide something to the website", some sort of program will need to run on the users PC and communicate with the site. This activity looks so like a virus that most computers will block the communications in the firewall or in their internet security.
The best you could do would be to have a program on the memory stick that generates a supposedly random number. Base this on the current date and time and some other static predefined characters and then apply MD5 or something similar. Every time the program is run, a different number appears. Have this key shown on a totally impressive "Your Personalised Security Key" screen.
Bonus points if you can make this key dozens of characters long and you can disable cut and paste "for security reasons".
On the website, have the standard htpasswd user name and password challenge to keep people out, then a totally impressive splash screen that demands the "Boss Security Key". Enter that number in the box and let the script de-MD5 it to get the original date and time and the original static character string back out. Now compare the date and time supplied by the server clock with that entered by the user in the "key" and if they are within 5 minutes of each other, allow access.
Bonus points if you arrange that the name of the security key program is an acronym that spells out IDIOT or something similar...