We will use Google Authenticator PAM module.

Note: If you activate the google-authenticator for a normal user but not for root you can't login with the root user directly anymore. You will need to login as the new user first, then switch to the super user with the su command to get root.

If you dont want to use a phone for the app you can use a web based app here.

sudo apt-get install libpam-google-authenticator

add the fallowing line to /etc/pam.d/sshd

auth required pam_google_authenticator.so

and this line for the file /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Finally type 

google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/USERNAME/.google_authenticator" file (y/n) y

Scan the code and print out the emergency scratch codes and store them in a safe place!
restart the ssh server.