Google introduced a 2-step authentication some time ago. With the 2-step authentication, the user is asked for a token after successfully logging in with you username/ password. Such token is provided by some application and is usually short lived.
Google is implementing the IETF RFC6238 time-based one-time-password standard. The interesting part is: we can use google’s token generating clients to implement the same layer of security within our applications.
The following blog explains how to configure the mobile client and how to validate the generated tokens in your app.
A pluggable authentication module (PAM) to be used with the same client infrastructure can be found here.