Firstly, unless you're tricky you won't be able to catch Ctrl-Alt-BkSpace which will kill X and leave any malicious users logged in as your user. You can get around this by maybe aliasing startx to 'startx; logout' but that's probably not the most ideal solution.
I've used xtrlock before, it's still only the users password that you need but I've found it better for my needs than xlock. Not sure how you'd go about writing something but it'd be a fun project. I've got a mega-hacky solution which may/may not work but it'd be fun to try if you're really that keen.
Chuck together a "client", shell would work but my choice would be Python or Perl. Use this to manage your passwords. Then run 'xtrlock; my-pass-manager', you'd need to enter your user password to get passed xtrlock then have your script validate the user, if they don't pass start xtrlock again. Maybe use dialog and a fullscreen terminal without borders to make it slightly harder to just drag it out of the road and get access.