A month or two ago I tried to set up 2FA with an authenticator app - unsuccessfully. Went through my devices today and set the following. Denies if publickey doesn’t match; if publickey authentication is successful, it prompts for password.
# /etc/ssh/sshd_config
# ...
AuthenticationMethods publickey,password
# ...
# Comment out
# PasswordAuthentication {yes|no}
# PubkeyAuthentication {yes|no}
sudo sshd -t
sudo systemctl restart sshdEOF