Authentication is about making sure that the peer (say, a connecting client) is who they claim to be; this is the normal first step which enables authorization, i.e. the process of deciding whether the access ought to be granted or not. The important point is that such a thing makes sense only when there is a system which acts as gatekeeper for an important service, e.g. the system contains sensitive data.
A VM image, that the attacker might possibly steal a copy of, is not such a system. By definition, an attacker who steals an image of a VM can inspect it at will, booting it up, seeing its file, reading its memory, and so on. To make an analogy, imagine the VM as a city; the SSH and 2FA and whatsnot is a big fortified wall encircling the city, with sturdy doors and dozens of guards armed with swords and pikes; they will grant access only to people who know the passcode and are vouched for by a citizen. For the attacker, stealing the VM is like having some choppers and landing a few platoons of marines on the city central plaza; the efficiency of the wall and the guards against such a scenario is, at best, questionable.
So yeah, against an attacker who can read all the stored data (that's what happens with a stolen VM image) you need confidentiality, and that calls for encryption. You can actually forget this VM business and SSH; for the security you want, it totally misses the point.
