This document proposes a two-factor authentication access control system for web-based cloud computing. The system uses attribute-based access management enforced with both a user's secret key and a lightweight security device. This enhances security by requiring both factors for access. Attribute-based management also allows the cloud server to limit access based on user attributes while preserving privacy, as the server only knows if a user satisfies an access predicate, not their identity. The paper introduces an object-sensitive role-based access control model called ORBAC that can parameterize roles based on object properties. It also aims to formally validate programs against ORBAC policies using a dependent type system for Java.