> You know what? I don't trust Google enough to allow them to lock me out of my own systems, and I'm surprised other obviously technologically inclined people do.

This is a common misconception of Authenticator. It is an open source implementation of OATH which works entirely offline once the initial secrets have been shared.

Using Google Authenticator for SSH accounts (via PAM) does not give Google the ability to lock you out of your systems.

Excluding severe bugs and overly paranoid scenarios, e.g. the entire Authenticator system being a convoluted plan for Google to take over your servers.

Google Authenticator is just a client for the open OATH protocol. It doesn't rely on Google at all - there's no network connection, it's just a number being calculated from a seed + the current time.

Nitpicking: '... or a counter on the token/device'.

As far as I know Google Authenticator allows both time and counter based accounts. Not that it changes anything regarding the GP's misconception about accessing external services.

The following page on LifeHacker explains it quite well: http://lifehacker.com/5932700/please-turn-on-two+factor-auth...

The application I wrote works for all the mentioned websites, e.g. Drupal, Amazon, Dreamhost, Dropbox, etc since it implements the standard HOTP specification. It is merely named G since this is the most well-known implementation and was my first use-case.

You can implement the whole protocol in a few lines of python, or whatever is your weapon of choice. Secure key management aside it could do the same functionality. Google authenticator is just a confort option.

I don't have the context here but it's entirely possible to use it without Google's knowledge. For example Amazon also implements Gauth for their two-factor scheme.

Dropbox have recently implemented 2-factor authentication and you can use the Google Authenticator for that too.