Note that it's possible to configure multi-factor authentication using e.g. one-time password (OTP) for those regular openssh logins. The setup to achieve that still seem quite involved though, so the reluctant sysadmin in me haven't got around to try it.

Multiple factors:

1FA: Password(1F) OR private key (password blank)(1F)

2FA: Private key(1F) with password(2F)

MFA: Private key(1F), w/ password(2F) AND OTP(3F)