A lot of companies, wisely, realize at some point that SSH keys alone aren't as secure as they seem to be. If a laptop gets yoinked, or a private key is leaked, an attacker has a pretty easy path to reach your remote hosts. The obvious solution is to add a second factor for authentication.
The problem is that setting this up for SSH is a pain and error-prone. You need to configure hosts, or write some custom module that you distribute throughout your organization. Maybe you end up with a Yubikey solution or write some code that talks to Google Authenticator's API.
Instead of doing all this, you can avoid SSH keys entirely—and in doing so, avoid having to reimplement any sort of new 2FA. Instead: just use your existing identity provider (with its already-configured 2FA, not to mention its other benefits), alongside SSH certificates, and you're done.
We do all this for you with Cased Shell.