Google Authenticator is an open source, easy to use TOTP (and HOTP) implementation which is not bad at all. The pam module is decent, and the smart phone (androit, ios, and blackberry support) client's QR Code enrollment is very convenient. Because [TH]OTP are standards, it's compatible with any other implementation of those standards, such as http://www.nongnu.org/oath-too... and the Yubikey tokens.
Personally, I use the Google Auth client with pam_krb5 / mit kerberos using a custom preauth plugin with totp keys generated by oath and stored in an LDAP backend. It's pretty neat. I mostly went with TOTP because that allows me to more easily pre-generate keys for automation jobs, btw.