Before the Dropbox two-factor authentication release I didn't realize that the Google Authenticator was built on an open platform. My initial concern with using a third party tool like the Authenticator is that it could lock the user out if the external service was inaccessible. But the RFCs specify an algorithm that only requires upfront coordination with a secret and after that a new key is automatically generated every 30 seconds independently by each side.
Knowing this - and that it's a lot of extra development work in terms or account recovery, etc. - should two-factor authentication be standard issue in future web apps?