interesting, but two factor ssh authentication can be achieved mucheasier than this: encrypted ssh keys. Something you have (the private key) and something you know (the password to the private key).
"Something you have" actually implies "something an attacker wouldn't have".
Hardware tokenizers, SMSes via mobile phones or secrets available only on your phone are all things that confirm a physical link with you that the attacker cannot reproduce even if it has a keylogger and root access on your computer.
Which cannot be said unfortunately about private keys. You can regard them as long passwords saved in a file on your computer (which you need to bring with you on a USB stick and copy on any remote computer from where you'd like to login). Sure, they do not travel over the network, but they have zero protection in case your laptop is rooted and keylogged.
The whole US financial industry has their heads in the sand over this one. In 2005 the FFIEC (a US regulator) declared that single-factor authentication alone wasn't sufficient for high-risk transactions.
What did the industry do? They rushed half-baked solutions out the door. One of the worst offenders is Harland Financial Solutions. They created a "Multi"-Factor authentication product for online banking, which is multi-factor in name only. When you login using a computer without a cookie set, the "MFA" system asks a security question (like, "What was your elementary school?"), then sets a cookie.
Harland considers the computer+cookie combination "something you have", and will claim with a straight face that this system is secure and multi-factor.
Unfortunately as an administrator (outside of a soft policy) there doesn't seem much I can do to ensure that my users have an encrypted ssh private key nor can I control what other machine it's copied to. Which is something that worrying when users add 5 different authorized_keys from this and this account on physical machines and VMs and Android devices.
