Every site seems to have a different procedure to set up 2FA with an authentication app, and many sites offer a choice between an app-based code or SMS. Some allow both. Twitter is the one oddball, offering either the use of SMS or its in-house-developed Twitter app, but not third-party apps. (Apple's two-step verification requires an SMS-capable phone number plus trusted devices, and handles the authentication using its own proprietary means whether in iCloud, in iOS, or in Mac OS X.)
Google Authenticator, Authy, and DuoSec Security all support Google's standard token protocol, which lets you accept a seed key from a site you're securing with two-step verification, and then the apps derive a six-digit code using the key and either the current time or an incrementable counter. In my experience, I've only seen the time-based codes, which turn over every 30 seconds. Counter counts may be used once; time-based codes are only valid in a narrow window. (Google Authenticator is free; software from the others is free for basic or personal use, and they make their money from small-business and enterprise users.)
Many, many sites support Google's protocol and thus any compatible auth app. Well-known companies include Amazon Web Services, Dropbox, Facebook, Hover, LastPass, Linode, and Tumblr, just to name a few.
To seed the code, sites typically generate a QR Code--a 2D tag that encodes information, and which has been the butt of many jokes. (They're big in Japan!) But it's an efficient way to get a bunch of random characters or numbers off a screen and into a phone. Some sites will also provide the code written out as in ASCII letters and numbers. (The key represented is 80 bits long.) The apps rely on the security of your devices, and don't have secondary security mechanisms enabled by default. Only Authy allows a passcode or Touch ID to secure the app, but you have to turn that on.
You login with your password, are prompted for the second factor, launch the app, and enter the corresponding code. Many sites, once you've set up an auth app and used it to validate your login, allow you to mark browsers or devices as trusted, either forever or for a period of time, usually 30 days. Most sites with 2FA of any kind let you revoke or logout all trusted devices or browsers with a click from the site's security settings, in case you worry you've been compromised or someone has gained access to a computer or mobile you thought was under your control. (This is true whether or not you're using an auth app.)
Sign up for CIO Asia eNewsletters.