Yes, if a passphrase is selected, then SSH PKA can provide two-factor authentication. But passphrases are optional. Their use must be enforced by policy.
Any system that requres a user to authenticate two different ways -- a) something they have, combined with b) something they know -- are two-factor authentication methods. Other examples: RSA key fobs that provide changing sequences combined with a user PIN. Web applications that require both a client X.509 certificate and a password/passphrase. VPN clients that require workstation certificates combined with a password/passphrase.
|