Yes, please add 2FA! But how would OpenID be connected to that? I'm usually just annoyed by sites that want to rely on OpenID or Google accounts and not have their own account credentials. Separate credentials + 2FA for each site is much better and simpler IMO.
If we used OpenID as a 2FA method, it would be separate from Google Authenticator.
What's the problem with using Google Authenticator? It has nothing to do with Google accounts, and is very easy to implement. I even added it to my own ssh server.
Yeah there seems to be some confusion on how these various components fit together.
The TOTP standard: RFC6238RFC6238 is an open standards which allows a remote user (forum user) and a website (bitcoin talk forum) to generate the same code at the same time. It is a time based token. The inputs for the algorithm are a shared secret and the current time. Note this requirement the public website AND the user to run the same algorithm but they don't need to even be created by the same codebase as long as they properly implement RFC6238. site implementation AND a remote implementation. This is how both entities can "know" the same code at the same time without any communication. The site (any site) just needs an implementation of RFC6238.
https://tools.ietf.org/html/rfc6238The site needs to run code which will allow it to assign a shared secret to each user (often in form of QR code) and maintain those shared secrets in the login tables of the database. When user later provides a TOTP the site will take the shared secret & current time to generate a code and see if it matches what users provides.
Google does provide source code for this but a site doesn't need to run google code any public server implementation of RFC6238 will work with any client implementation. That is the whole point of an open standard.
http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Public_Server_ImplementationsSo as an example a website could use OATH Toolkit (public server implementation of RFC6238) and a user who has Google Authenticator (client implementation of RFC6238) could generate the proper code. I guess the best analogy would be web server and web browser. They both implement the http protocol. You don't need to use a google chrome webserver in order for users running google chrome browser to see your website.
http://www.nongnu.org/oath-toolkit/OpenIDOpenID isn't 2FA. It is simply authentication. It allows you to use a site you ALREADY HAVE to register on new sites in a secure manner (site owners can't link identities together). Note it isn't 2FA it is just a replacement for normal login. Now if your OpenID login HAS 2FA (i.e. you use gmail = an open ID provider and your gmail account has 2FA) then it can be more secure but if your OpenID account has your email address as the username and password is "password" it isn't going to be any more secure.
http://openid.net/get-an-openid/