The security method described earlier in this post would do exactly what you want (require a username and password to access the pi). The mobile app and the web app both support it out of the box. However, I don’t think it could easily be made into a script or SD card image. This is because an SSL certificate is required and you have to go through several steps to get a certificate from a third party that is specific to your device and domain.
Also it probably wouldn’t be necessary to have an on/off switch because once it’s setup it’s pretty seamless and I can’t think of a situation where you would want to disable it.
The nice thing about the pi is you can easily make a copy of your SD card. So if you mess up on your security settings, you can just restore your working copy and you are back in business.