Google authenticator is only one-factor, possession of the shared secret in the phone. That's why it requires 'two-steps'.

Well, the password on the phone is the other factor. No need to send the password anywhere.

So, we get a lot of questions about how to implement 2 factor authentication. You can do it quick and simple, but it is more secure to run it through your directory (AD). This eguide shows you how to do it end-to-end using standard protocols, so it works with any 2 factor solution, not just ours. Enjoy.

I hate to use the cliché, but: weakest link. SMS and dial-back systems rely on the security of the telco, who are dis-incented to secure their users' accounts. These systems do not use encryption! Of course they are going to get owned.