Question for you. Have you been able to register more than one hardware security key? I'm can't seem to get SN to allow a second hardware key to register. 

A reply to your question. I would use the keys for MFA even if you are on-prem. If your users have hardware keys already, they are already use to using them. Using a hardware key for MFA is less work then email OTP or using an Authenticator App (which requires a mobile phone). And hardware keys (or more exactly U2F, FIDO2, webauthn) aren't vulnerable to any sort of in-the-middle attack.