I’ve worked at more than one place where you SSH into a Linux host (often just for that datacenter) using certificate-based authentication, only to be printed a JIT (just in time) password for TACACS-based usage in that datacenter, and which is only valid for a few minutes.

Workarounds are many for network devices it seems!

Don't use that then. Tell that vendor their security posture is bad.

Its Cisco. They already know that.