I like Yubikeys: https://www.yubico.com/. They show up as a USB keyboard, so you don't have to type the codes in.
There are some disadvantages. Yubikeys use a shared secret instead of public key crypto. Also, the one-time password is iteration-based, not time-based. On the bright side, you can program Yubikeys with your own secrets. They may not be as secure as properly configured RSA tokens, but they're much better than authing with just a password or client cert.
Yubikey NEO (latest revision) is like the one you already have + a java card that comes with a PGPcard app (and supposedly, you can write your own apps)
They don't have a timer like the RSA key fobs, and need a USB or NFC connection - but are generally very reliable, and given their constraints.
The questiion, of course, is what reason you have to believe that yubico (and for that matter, gemalto, g10code and the rest) are not similarly in bed with the NSA.
You were probably just as horrified as most of the other employees at Bloomberg when that info became public. The bad apples cost Bloomberg a lot of reputation. My point is that "trust" is very elusive, very easy to lose, very hard to gain.
OTOH, are the "bad apples" at Bloomberg who condoned that behavior still in positions of power? Did they even get a slap on the wrist? If I were at Goldman, JPM, Citi, etc. I wouldn't "trust" Bloomberg until I saw some higher up people fall on their sword for that fiasco.
If I were at Goldman et al. I would expect Bloomberg to treat employees that successfully use underhanded tactics, as business as usual, the same way I would probably have seen such employees (and maybe myself) treated by my own organization: "Job well done boys, but you better cool it for awhile. BWA ha ha ha! Have a cigar and a hooker."
There are some disadvantages. Yubikeys use a shared secret instead of public key crypto. Also, the one-time password is iteration-based, not time-based. On the bright side, you can program Yubikeys with your own secrets. They may not be as secure as properly configured RSA tokens, but they're much better than authing with just a password or client cert.