Generally, "something you are" is some sort of biometric. Fingerprint, iris, hand geometry, palm veins, face and voice are all possible. Some laptops have fingerprint readers, face/voice recognition would probably work fine through a cheap webcam. I'm not sure how you'd prevent replay attacks if you were running it over the internet.

For single or small-n user systems, the best practice that's evolved around this is to not actually send the fingerprint image to the remote server. A trusted security module has a private key and the biometric sensor, and the remote server has the public key. The trusted security module locally validates the fingerprint, and then signs a message that can't be replayed to indicate the fingerprint was presented.