I believe your understanding is correct, based on the pam documentation.
You should be able to make the changes, test, and revert back if needed if you open another connection to test with, leaving your original ssh session connected (make sure it doesn't time out though!)
Yes, I have a setup where I can ssh to my server using public key authentication, with a fallback to two-factor authentication with Google Authenticator + password when my private key is not available. These are the steps you can use to set it up.
Installing Google Authenticator
My server is running Ubuntu Bionic Beaver (18.04.1). You can install Google Authenticator using apt:
$ sudo apt install libpam-google-authenticator
Configuring sshd
Open /etc/pam.d/sshd and add the following line at the top:
auth optional pam_google_authenticator.so
Open /etc/ssh/sshd_config and change one line. The existing line is
ChallengeResponseAuthentication no
and you should change it to
ChallengeResponseAuthentication yes
Configuring Google Authenticator for Your Account
The next step is to turn on Google Authenticator for your account. You do this by simply running:
$ google-authenticator
Make sure you run this as the user who will be making ssh connections, not root. Make a note of your new secret key and your emergency scratch codes. The wizard will ask you several questions to configure the security settings for your account.
Configuring Your Mobile App
I use the Google Authenticator app for iPhone. This app has a [+] button that allows me to add a new Time Based Token using the secret key I obtained from the google-authenticator command on my server. It was trivial to set up. I can't help you with apps on any other platform, but I imagine the process is equally simple.
Pulling the Trigger
The last thing you need to do is restart sshd.
$ sudo /etc/init.d/ssh restart
At this point, when you try to connect to the server when your private key is available, authentication just works. When your private key is not available, you will get a prompt for a verification code, then your account password.
Bingo, two-factor authentication.
Best Answer
The IMAP protocol can use SASL for authentication, which explicitly can support OTP. The other two answers are wrong on this account. SASL can further be extended to other authentication mechanisms.
However, both the server and client software must support the SASL Mechanism for it to work, and OTP isn't supported by any software that I'm aware of (not that it doesn't exist, I just don't know of any).