I use use some iptables voodoo with them to auto-whitelist on successful auth and blacklist on failed auth attempts.
Three things to note about google authenticator:
1. ssh keys bypass it unless you have a patched version of OpenSSH with multiauth
2. It can be configured to have you append your one time code to your password for interop with things that can't handle keyboard-interactive auth
3. It is self contained and doesn't use any google services to function.