> I'd not like to rely on "something you have" and "something else you have" as > two separate factors
Using a FIDO key (e.g., sk-ssh-ed25...@openssh.com) is two factors so long as user verification is required. This can be enforced on the server by enabling the PubkeyAuthOptions verify-required option: https://man.openbsd.org/sshd_config#PubkeyAuthOptions
