Do you do 2FA on each connection or on cert issuance? I feel like doing the latter is a lot easier since it lets you leverage your identity provider’s 2FA mechanism (if you’re using SSO to get a cert). It also means people who use SSH a lot aren’t constantly badgered to do 2FA every time they connect. It’s sort of like a cookie, establishing a session.
Downside, of course, is that there’s no presence check with each connection.