Some hardware auth tokens such as Yubikey support a challenge-response mode. i.e. you initialise the token with a secret which is henceforth only available to the token (backup of the key excluded). You take the user's password and send it as the challenge to the token, which calculates a HMAC using the key and returns the response, which is used as the database password.
e.g. https://sourceforge.net/p/passwordsafe/discussion/134800/thread/7463e2a3/#7e4e
It'd be neat if enpass supported this.