privacyIDEA is a modular authentication server that can be used to implement 2fa with your existing applications. Can use many different back-ends, from LDAP to Active Directory to flat files. Has a self-service portal for users. Policies enforce different requirements on groups. Supports HOTP, TOTP, SafeNet, eToken Pass, Safeword, OTP cards, Google Authenticator, RADIUS, SMS one-time tokens...
Has a TokenClass which is designed for adding new authentication devices. Has a REST API. Plugins for many services available. Supports detailed audit logging. Supports multiple databases for its datastores. Database contents are AES encrypted.
Github repo: https://github.com/privacyidea/privacyidea
How to set up an Ubuntu machine to require Google Authenticator to SSH in.
Several different ways of configuring SSH on servers to use multiple authentication methods in succession for greater security.