Question for you. Have you been able to register more than one hardware security key? I'm can't seem to get SN to allow a second hardware key to register. 

A reply to your question. I would use the keys for MFA even if you are on-prem. If your users have hardware keys already, they are already use to using them. Using a hardware key for MFA is less work then email OTP or using an Authenticator App (which requires a mobile phone). And hardware keys (or more exactly U2F, FIDO2, webauthn) aren't vulnerable to any sort of in-the-middle attack. 

We are still setting the instances up so we aren't at the stage yet to be able to register any hardware keys.

Yes, we have a requirement for using the hardware keys.

The problem is that our on-prem instance will not have access to the internet, so we will need to figure out another way to complete the authentication process using the Relying Party if SN utilizes a 3rd party Relying Party.

One of the benefits of using hardware security keys is that you don't need the internet to register them and/or authenticate with them. 

Damian 

Ah, that is interesting.

That means that ServiceNOW is the Relying Party in FIDO2 process.
I wonder if I can override the SSL requirement somehow (since we don't have certifications for our sandbox environment).