I used this way:
set up additional sshd on the same host.
First sshd listen 22/tcp port and accept all users using ssh-key + google-authenticator (the most secure).
Second sshd listen 22522/tcp port and accept only
[email protected] using ssh-key only.
I tested this configuration from...