Google Autenticator can't be bypassed by someone with access to Google's systems. Duo's two factor auth can be bypassed by someone with access to Duo's systems.
For what it's worth, I agree that Duo has better usability, and is probably the better solution in most cases. TOTP is the more paranoid option.
I believe that Google Authenticator uses TOTP. Six digit HMAC-SHA1 TOTP from a base32 encoded secret using a 30 second timestep. At least, that has been my experience. I wrote an OATH client and it works with Google Authenticator using those parameters. https://github.com/w8rbt/oathgen
Duo supports this as well (and also other TOTP/HOTP modes). If you have access to a Duo account, look at the 'Import Hardware Tokens' feature under 'Devices'. That's not named accurately. Really it should be named, 'Import TOTP/HOTP secrets' as that's what they ask you to import and those secrets can be used in OATH compliant HW fobs or any software that does standard TOTP/HOTP. They also allow you to import Yubikeys as well if you like (of course, that's not OATH).
TOTP relies on a shared secret. With Google Authenticator, the secret is shared between your phone and the SSH server you're logging into. With Duo, the secret is shared between your phone and Duo's API backend; the server has no independent way of authenticating it.
Authorization is done by making a POST request to a Duo-controlled server. If the response is the string "allow", it lets you in; if it's "deny", it doesn't. Duo can make that server return whatever they want.
Sorry for the late reply. You can basically set up to send yourself an SMS with codes that you can use offline I think. Actually, I am not quite sure if they would work offline. So I think you are right. Sorry.
It's already in the most popular repos. It's used by the likes of NASA, Facebook, Box, Arbor Networks, Internet2, Twilio, Yelp, etc.
https://www.duosecurity.com/docs/duounix