I've got a Ubuntu virtual server that I use for webhosting and other stuff. I've been thinking about moving mail onto it, but I'd like to secure it more against the threat of losing my smartphone. Google has 2 step verification systems that allow devices to have their own password.
Is there a standard UNIX-y way of allowing one account to have multiple credentials, so that I can revoke one later without revoking all of them?
With PAM everything is possible. That's why "P" stands for pluggable. You can use multi-factor authentication, one time passwords, iris scanners and whatever you like (and for what a plug-in exists).
One of the plug-ins is Google Authenticator for two factor authentication. See this post for instructions and source code: http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html
Is there a standard UNIX-y way of allowing one account to have multiple credentials, so that I can revoke one later without revoking all of them?
Depending on how you access your system (and use these accounts) you could do that very easily with SSH and key based authentication.
The valid credentials (public keys) are stored in ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2. If one user shouldn't be able to access the related user account any more, just remove their key from authorized_keys.
