I've successfully setup 2FA on multiple hosts following the below (and similar instructions) where I typically authenticate via ssh using a username / password:

https://aws.amazon.com/blogs/startups/securing-ssh-to-amazon-ec2-linux-hosts/

The issue I am having now - is the instructions don't work when I am authenticating using an ssh PRIVATE KEY FILE(keyfile.pem)

i.e ssh -i "keyfile.pem" host

Normally when I use a keyfile without 2FA enabled, it just connects to the host - no password requested/required.

When setting up 2FA using the above instructions - I get asked for a verification key but then it asks me for a password (when I never set one up!) - so this is stopping me from logging in. I've tried setting PermitEmptyPasswords to yes in sshd config and entering a blank password when it asks for a password but this doesn't work.