Ssh key or two factor authentication

Hello! Just wondering, which option is more secure? I know that password authentication isn’t recommended, but what if I strengthen it with TOTP? How secure that would be? Would it be as secure, or less secure as key authentication?
Miro

Nothing really beats key based authentication. And if your private key requires a password to unlock, even better, that can serve as a pseudo-2fa. If someone steals your private key or gets access to your device, they can’t ssh to another server unless they get your password for the key as well.

Bonus points if you follow the Alpine Linux Wiki and only set up ssh key authentication to an unprivileged user, from which you can then switch user to another user (basically 3FA at this point to get access to a sudoer user, but 2FA to get to an unprivileged user on the server).

ssh unpriv@server
su - priv
sudo blah blah

Thank you for your reply!
That’s a very nice trick! Thank you for sharing.

port-knocking can come pretty close. If configured correctly, it would be really tough to figure out from the outside.

A hardware key with a PIN or password == MFA (something you have + something you know).