How can I setup 2FA on non-interactive SSH connections?

I would like to add a level of security for logins to an SSH server (Ubuntu), using two factor authentication. One particularity on how the users connect to the SSH server is that sometimes they do it in a non-interactive way: the SSH server is configured in the users' MySQL client to be used as a bastion/proxy to reach a database. As a consequence I'm looking for 2FA setups that don't require the user to type anything in a terminal.

One existing solution that sounds promising in theory is Google's phone prompt allowing the user to validate the connection. Every SSH user would be associated with a phone number and this phone number would receive a prompt to validate on each connection.

An obvious downside to this idea is that it sounds like it would require the development of a phone app, which would make it way too complicated and expensive. Are there other techniques that I could use to allow users to validate non-interactive SSH logins?

You could use an SSH-CA to issue temporary short-term OpenSSH user certificates only valid for a couple of hours. The user has to request the cert by authenticating with any MFA solution you prefer. The SSH cert and private key will be loaded into the SSH key agent and can be used until the user cert expires.

There are various SSH-CA implementations out there with my EKCA being one of them. YMMV.