[moomerman]

The method listed in the article does authenticate with the SSH key first and then the second factor kicks in only if the key (and passphrase) are valid.

Doesn't ForceCommand do exactly the same thing except it allows you to do it globally?

[simcop2387]

Not only does it allow you to do it globally, it doesn't allow a user to log in and disable it on you either. If you have to have them turn it on in ~/.ssh/authorized_keys all it takes is someone to get in once to add in a key that doesn't require that any more.