Careful with that validates? function. Your OTP only changes every 30 seconds by default. At six digits, you're at non-trivial risk of just getting hit by exhaustive search in that interval. Additionally, since the == method on strings short circuits in Ruby, if they wanted to get really tricky they could possibly even get local network access and do a timing attack on you. (At 30 seconds a go and only 10^6 possibilities it would probably be easier to exhaustively search, though.)

Using Google Charts to display the QR code? OK, the code uses HTTPS there, but still... I think it should generate the QR code locally.

The command line version outputs an ASCII/ANSI QR code directly in the terminal: http://code.google.com/p/google-authenticator/source/browse/...