Just had a random thought… what about port knocking, but the combination was TOTP’d? Port knocking is visible to third parties… but if the combination was a TOTP nonce, guessing the correct combination would be fairly difficult.
Didn’t have a beef with the general idea or the cryptography (assuming that some form of replay protection was already baked-in) so much as the idea that exposing a novel, less-tested, non-trivial service is a security win. If the implementation (TOTP or not) were dead-simple, I think SPA would be a win, but as soon as we get to dynamic cross-platform firewall-fiddling and custom commands, we are no longer in “dead-simple” territory.
There are many points made in the presentation, including that a significant number of ~~targets~~ hosts are not running OpenSSH. See the list and the claims that some classes of them are important.
The swipe at "running shell commands" isn't very credible, but the second attack surface is legitimate.