I think your miss the point that you are not limited in number of keys allowed to connect on your server. authorized_keys file can contain multiple public keys.
I apply this rule : NEVER copy my private key anywhere. The more you copy it, the more it is exposed. Dont make copy on USB sticks for example.
I think you should use an unique keypair per computer you use.
Your laptop was stolen ? No problem, just remove your key from authorized ones.
Furthermore, I generate my keypair on place.
IP restriction is good but its very contraignant. 2FA seems better cause you can use it from anywhere.
The only problem I encounter with this method is that you need to have access to an authorized host to authorize your new key. Easily solved if you have a KVM access to you server on your hosting provider.
See it has 1 password per computer. :)
You can also use a system of SSH proxy/bastion if you have multiple servers to manage and allow only your proxy to connect to your servers.
So overall this way it would be pretty much the same, since both methods involve going through the hosting provider to authorize operations from a new device.
Using keys is probably easier over time, I ought to consider that.
I think your miss the point that you are not limited in number of keys allowed to connect on your server. authorized_keys file can contain multiple public keys.
I apply this rule : NEVER copy my private key anywhere. The more you copy it, the more it is exposed. Dont make copy on USB sticks for example.
I think you should use an unique keypair per computer you use.
Your laptop was stolen ? No problem, just remove your key from authorized ones.
Furthermore, I generate my keypair on place.
IP restriction is good but its very contraignant. 2FA seems better cause you can use it from anywhere.
The only problem I encounter with this method is that you need to have access to an authorized host to authorize your new key. Easily solved if you have a KVM access to you server on your hosting provider.
See it has 1 password per computer. :)
You can also use a system of SSH proxy/bastion if you have multiple servers to manage and allow only your proxy to connect to your servers.
So overall this way it would be pretty much the same, since both methods involve going through the hosting provider to authorize operations from a new device.
Using keys is probably easier over time, I ought to consider that.
Another solution may be to use something like a Yubikey and 2FA.
If you loose it, 2FA protect you the time you remove it everywhere.
You can take it with you and it cant be copied by someone.