Two factor auth addresses the user password as being a weak link, and this is a nice step
Oh and btw, yes, the private keys were on the server, with a passphrase