At work we just completed a migration from a closed source 2 phase authentication product (that ran on our Windows AD Server) to an open source product called LinOTP that integrates with Google Authenticator (in fact it work with any authenticator that supports the HMAC-Based One-Time Password (HOTP) or Time-Based One-Time Password (TOTP) algorithms - these include Lastpass Authenticator and FreeOTP).
LinOTP is written in Python (Python 2/Pylons), is extremely modular (allowing you to configure it to suit your environment).
Our configuration makes use of the following modules:
- PAM authentication module (which is used by Openvpn to perform the two phase authentication).
- LDAP against AD to perform user ID resolution
- Postgresql to host the token and audit databases
- Apache2 to provide authentication to the management interface and SSL
A lot of the configuration is plumbing - as it is running on python 2 I did have to use pyenv to get a version of python 2 with a working virtualenv (Ubuntu seems to have broken virtualenv in their recent 16.04 LTS upgrade).
The LinOTP documentation is VERY good.
Tidy Management Interface (with self service portal capability)
Range of Token types supported
QRCode Scanning Screen