You are mistaken. I'm not sure what blank to fill in. Google Auth use OATH for their two factor auth. Using the reference package just gives you their PAM module. It doesn't require hitting their servers or anything.
If you run google-authenticator with no arguments it hits Google's servers in order to generate a QRcode for your phone to scan.
So you are in fact handing over your 2-factor auth key to Google when you run google-authenticator. There's no actual need for the binary to do this (although it obviously makes the key entry on the phone much less error-prone) and there don't seem to be any command line arguments that would turn it off either. doesn't do this at all -- see below. (can I do strikethrough on HN?)
So you are in fact handing over your 2-factor auth key to Google when
you run google-authenticator
Unless things have changed a lot since I last used this, this is not entirely correct. The binary will print out a URL - the QR code is only generated if you hit this URL.
If you visit this URL, you are sending the "QR-encoded" (not exactly, but you know what I mean) version of the key to Google's servers.
As long as you do not visit this link, you will not send your key to Google's servers.
Can't reply to mryan, but I'd just checked this before coming back to HN & indeed, google-authenticator doesn't make any network connections when invoked & it generates the QR-code locally.
So don't hit that URL if you don't want Google to know your 2-factor auth data!
http://code.google.com/p/google-authenticator/