The implementation in the cloud portal is actually quite trivial, we adhered to http://tools.ietf.org/html/rfc6238, which allowed us to re-use the google authenticator client. You should be able to find Java libs that allow you to do the backend part of it.

In a nutshell, it's not really more than:

• come up with a secret
• share that secret with the google auth app
• calculate the 'current' OTP value and compare it with user input

The easiest way to ensure that your app is safe is to check the TFA code at login, doing it 'inside' the session (as in the cloud portal) is much more of a hassle.