After all this talk of Heartbleed, passwords and two-factor authentication, I finally decided to add two-factor authentication to all of my personal SSH servers using the "libpam-google-authenticator" module. Don't let the module name confuse you. It's actually a complete implementation of the TOTP RFC 6238 specification and the HOTP RFC 4226 specification. It doesn't call home, doesn't require a Google account, and is fully Free and Open Source Software.
After getting all my SSH servers enabled with two-factor authentication, I changed my OTP Android application from Google Authenticator to FreeOTP, developed by Red Hat.https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp
This app is one killer app. It's Free and Open Source Software, unlike Google Authenticator, and has better screen management for multiple accounts, which I have, and has increased security, in that the codes are not displayed by default. You must tap the OTP refresh for that account to see the code.