I find that everything is easier on OpenBSD when it comes to security. The tools are already present and properly integrated in the base install. They even have good documentation. This one is right out of the FAQ

As root, create the /etc/skey directory: skeyinit -E Next as a normal user on a secure console, setup your skey passphrase, one different from your system password: skeyinit Then to use OTP with your login, just tack ‘:skey’ onto your username: ssh joeuser:skey@host.example.com

Done!