I use Krypt.co. It stores my private key in my mobile device only. I can hook up any device to use it as my SSH key, but the key never leaves the device. Instead, it signs all requests only once I authorize them interactively.
An SSH key is one factor. There are various methods for protecting the key with additional factors, but none of the git hosts provide a way to require those additional factors. So as an org owner you're left either trusting every one of your users not to get sloppy with keys, or installing spyware on their computers to make sure they're not using unprotected keys.
How so? An SSH key is a single factor. You could argue that a password-protected private key provides a second factor, but that still falls in the category of "something you know."
> The fact that one time passwords expire and change is what makes them a different factor than a static password.
If you're getting your 2FA code by SMS message or the like, this can be true.
If you're using TOTP (e.g. Google Authenticator), that's just as static as your other passwords. The TOTP code never expires nor changes. What changes is the code you're supposed to send over the wire.
Exactly. PATs are designed to circumvent human intervention (MFA) for authentication in order to support automation. I am very curious if there's a better way than PATs.