My take on the documentation is that no matter what method of primary authentication you're using, local account or LDAP/NIS, the second factor can only be publickey. If you want to use an external Identity Provider other than AD/LDAP/NIS, the only applications supported are http and ontapi, not ssh. You can verify this yourself by going to the command line and typing:
security login create -user-or-group-name "domain\group" -application ontapi -authentication-method ?
Then do the same as above but swap ontapi for any of the other applications.