So, this is something pretty spiffy, and a lot of people have set it up already, provided nice walkthroughs, etc. Since there are many good walkthroughs already (like here or here), I won't go into too much detail. It's stunningly simple to set up, if you don't mind manually pulling the module's source out of version control and building it yourself.
But, one thing struck me as necessary. I have users that don't use two-factor auth right now, and they may not want to. So, how can I make this optional? Well, PAM makes this pretty painless, although it's not built into the module itself:
auth [default=ignore success=1] pam_succeed_if.so quiet user notingroup secure
auth required pam_google_authenticator.so
That's it. Basically, you have a group "secure," that if users are in, they will be required to use two-factor auth. The way it works is by skipping the following rule if users are not in the "secure" group, but ignoring the result of pamsucceed
if if they are. Otherwise, they aren't. Get it? Now, this does mean that users need to be manually added to this group in order to be graced with two-factor authentication, but it's still better than nothing. If you're curious about a related enhancement, this bug report
details some additional thoughts on transitioning to two-factor auth.