Well we can now store public SSH keys in AD, and make them machine specific as well. SSH also prompts for a MFA token that validates against our generic 2FA server that currently is setup for YubiKeys or TOTP. Leaving me with triple authentication: key -> password -> MFA