You can implement external 2FA for a SSH/SFTP Key by using key types of ecdsa-sk or ed25519-sk.

This implements 2FA at the SSH/SFTP Key itself, outside of Files.com control but supported by Files.com. Whenever these SSH/SFTP Keys are used by a client app, the user will be prompted for a second authentication by their 2FA device. For example, if you created your key using a YubiKey, or compatible FIDO/U2F token, then you will be prompted for your YubiKey, or compatible FIDO/U2F token, whenever you try to use the private key. Once authenticated, the SSH/SFTP Key will be allowed to connect to Files.com SFTP.

When using these key types of ecdsa-sk or ed25519-sk to implement 2FA for the SSH/SFTP Key, the 2FA configuration is outside of Files.com control and cannot be reflected in the User settings. A user with this type of SSH/SFTP Key will not show as "2FA Enabled" because it is the Key that has 2FA enabled for it.

2FA for SSH/SFTP Keys cannot be implemented with other key types. Only key types of ecdsa-sk or ed25519-sk can be used to implement 2FA for SSH/SFTP keys.

SSH/SFTP Keys cannot be used with user accounts that require any other form of 2FA. You must configure 2FA to be bypassed for SFTP connections which will allow SSH/SFTP Keys to be used.

Support for ecdsa-sk and ed25519-sk type keys is intended for human users and never for automated processes or scripts. These keys are designed for the 2nd factor of authentication to be provided interactively by a human user.