I recently implemented 2FA for OpenVPN using Google Authenticator.
The verification code I'm using is largely based on the Google2FA class for PHP written by Phil Taylor found below:
http://www.idontplaydarts.com/2011/07/google-totp-two-factor-authentication-for-php/
One challenge I had was not everyone has a smartphone (sigh). So I needed an inexpensive hardware token option.
I found that the Authenex A-Key 3610 is compatible. [ If anyone knows of other compatible tokens please comment. ]
It's not dirt cheap but it's cheap enough for our intended audience: $25 per unit if you get less than 100 and down to half that for larger quantities.
They send you a list of SNs to private key associations for the hardware tokens you've purchased. The only catch is that they represent the 160-bit key in hex so if you're using RFC4648 formatted Base32 (e.g. the default for Google Authenticator) you just need to convert those keys. After that you can add them to your DB just like you add keys for Google Authenticator and they'll work with the same verification code.
