Disable MFA verification when using an SK

[perrze]

Hi,
This message is more of a bastion setup question than a issue on the code itself.
Since v3.16.00 (youhou) we can use SK keys to connect to bastion.
But we still need to use MFA after the key is used.
Since, in my organization we consider (is it true ?) that using SK keys constitute a MFA, we thought to disable MFA enforcement.
But since we don't have a lot of money (being a french non-profit) we can't afford buying FIDO keys to everyone.

I wonder if you had ideas to how disable MFA when a user is using SK keys to connect but enforce it when he is using "normal ssh key" ?

I search the web and it doesn't openssh offers the possibility to Match on type of key used. And a group like "nopam" doesn't work because a user could have both sk and not sk keys on his account.

Thanks for your answers, if a change of code is needed I will be pleased to help writing it !
Perrze.