Now, some people argue that a password-protected SSH key pair consitutes MFA, with the key pair being the "what you have" and the password protecting it being the "what you know". Well, it is wrong and dangerous!
No. It is fundamentally correct. The user can always do all kinds of stupid things to undermine the security of services they can access. For example transfer their token from a separate device (phone) to a generator on the same computer they use to log in (there's even a Chrome addon somewhere), or store passwords in a sticky on the screen... the possibilities are endless.
Still a good article on your MFA options with ssh.
Right, it is wrong and dangerous, but not for the reason the article claims. The user can always do something stupid to compromise their security, but if they just do what they're advised to do (store their token on their phone), then with proper 2FA, the attacker has to compromise two systems (the computer with the terminal and the phone with the TOTP secret) to gain access. With SSH passphrases, only one system needs to be compromised (the terminal).
No. It is fundamentally correct. The user can always do all kinds of stupid things to undermine the security of services they can access. For example transfer their token from a separate device (phone) to a generator on the same computer they use to log in (there's even a Chrome addon somewhere), or store passwords in a sticky on the screen... the possibilities are endless.
Still a good article on your MFA options with ssh.