Using 2FA authentication to gitlab via ssh connections

Here’s the problem we’re trying to solve.
We have users who create phraseless ssh keys to access gitlab. Since there is no way of knowing from the public key, we have no way to enforce having a phrase on a key. Therefore, we’d like a way to tie in push authentication when someone does a git+ssh operation to gitlab (clone, push, etc).
Secure keys aren’t the best, as much of our development is done on virtual machines that the developers do not have physical access to. We also have Windows, WSL2, Linux and Mac environments, so something that can just do a push notification to an authenticator app would be best.
Is there a solution for this that doesn’t require using personal access tokens and enforcing an expiration policy?