There must at least be MFA somewhere on the path then.

Even just keys, I wouldn’t trust, unless they are stored on smartcards or some other physical “something I have”, require a PIN/passphrase. and centrally managed so they can be revoked and rotated. Too many people use unprotected SSH keys.

I…I don’t understand the question.

Also, yubikey or any other token. Plenty of MFA options compatible with sudo.

Nah just set up PAM to use TOTP or a third party MFA service to send a push to your phone for sudo privs.

Ooh I’ve been thinking about getting a VPS to set up wireguard from my house so I can get remote access (my ISP uses CGNAT and blocks inbound). I only do about 1TB a month, so these 3-4TB plans should more than cover my needs.