Why not simply allow users to specify any public ssh key as an authentication factor? And create a UI around that? Why do we need to create more and more new security crap that no sane person understands?
All I care about is that the keys are ssh keys and the protocol is ssh auth. Then do with that what you will. Store the keys in the cloud if you must. When a user creates an account on a site the browser gives the user a choice to either select an existing identity or create a new one. All very straight forward. You don't have to mention anything about ssh, RSA or ssh. Nobody is forced to learn what ssh means or how it works.
