I just read this interesting tutorial by @lizthegrey on adding 2 factor auth (2FA) to SSH, using either TOTP (time-based one-time password) or hardware auth tokens.
This is a companion discussion topic for the original entry at https://www.funkypenguin.co.nz/opinion/upping-your-2fa-ssh-game/