We will install 2FA (Two Factor) authentication over SSH.
Afterwards we can authenticate as usually using ssh-keys, but as fallback, if we loose our SSH-key, or are sitting on an other computer, we can connect using the 2FA authentication. This is the root password plus a string which changes every 30 seconds.
The second factor we get with our smartphone. On an android based phone you can use andOTP oder freeOTP which you can get both over the F-Droid repository. Personally I prefer andOTP.
So let's start:

aptitude install libpam-google-authenticator

execute as user which should use 2FA:

google-authenticator

Say y to all questions, besides to the extension of tokken-time-window (4th question).

Then write down the scratch codes, you will need them if you loose your ssh-keys, and smartphone. Those are only-one-time-valid authentification codes, which you can use as the 2nd factor.
Then take picture with andOTP (on smartphone) of console-qr-code-output of google-authenticator, to add the OTP (one time password) generation data to the application.

add new line to /etc/pam.d/sshd

echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd

activate challengeresponseauthentication in /etc/ssh/sshd_config and allow root password login:

sed -i 's/^\(ChallengeResponseAuthentication \).*/\1yes/' /etc/ssh/sshd_config
sed -i 's/^\(PermitRootLogin \).*/\1yes/' /etc/ssh/sshd_config

restart ssh (keep old ssh session open!!!!) and test.

systemctl restart sshd.service