I got OTP (One-Time Passwords) support working. Basically, all services that use PAM (Pluggable Authentication Modules) to authenticate users will first open up the standard Password prompt, and then, if users just press Enter or type in the wrong password, it will present an OTP challenge.
The principle of OTP is that, while you're logged in over ssh from a trusted source, you generate a list of say, 10 one-time passwords. Each time you connect after that, you can skip the standard prompt and type in the one-time password. When you use all one time passwords, you need to access HCOOP from a secure location again, and generate a new list of passwords. So it will be possible to use OTP if you're accessing HCOOP from untrusted machines which may be hacked or have some kind of password logging turned on.
Not everyone will want to use OTP, but that is OK. If you want, it's available and it integrates transparently into the infrastructure. --DavorOcelic