Which can have a passphrase and an agent, all sorts of MFA. One benefit to wireguard though is it's using UDP with a much less noisy handshake, you will never even know if the port you tried connecting to runs it (if your firewall is configured correctly). It's much more stealthy, an ssh server will pronounce it's version banner and public host key to literally anyone.