The idea that a serious compromise will present a clear path back to a specific ssh key that got used by the attackers and that you'll possibly be able to stop it just by turning off that key is pretty laughable. But then again, so is protecting your core infrastructure with 1.5 factor android soft tokens. Google isn't even willing to make it sound like especially strong protection for your gmail account. How much for a CAC style pki infrastructure? Hard to believe it's more than $50-$100/seat for a small organization. If you're worried about figuring out which employee got his phone dropped after your whole backend got molested perhaps an actual security posture would be more suitable.
What percentage of those android phones would you say are upgraded to a level where they don't have any publicly announced cve's against them that allow for rce or close enough? Like 5 or 10 percent? I agree that it's better than a single secret, but how does a soft toekn count as "something you have" if it can be stolen from your phone and not end up "missing"? My google auth secret continued to work without a hiccup after apple repaired and wiped my phone and i restored from their cloud backup service. That's not too bad for keeping my voice mail private, but it's a pretty weak protection for sudoers on boxes that are pretty much critical to your company existing.
