Re: Pay less the CEO...
SSH keys and access tokens are not 2FA. Proper 2FA requires two authentication steps with different "factors" - which really need to be different, they can't be the same type of factor.
While a web login can easily ask you a password and an one-time pin sent you via a different channel, local clients rarely do. I didn't see a VCS client supporting 2FA yet.
It would be very hard to configure an automatic system - think continuous integration - to work with it, because most 2FA systems are interactive.
Probably you can do it using hardware devices storing certificates and/or generating OTPs, but that have a cost, and those devices need to be supported by the backend.
You also have the user management issue - more silos you have each with its own user management, the less control you have on how many users are actually active and how strong their authentication is.
SSO makes sense because you can set up very strong authentication at system log on, and then let the identity/authorization system handle the authentication and authorization on several subsystems.
Good luck, though, to be able to do it when using external services. That's why internal systems and services may be a better option when you need to have full control on security.
Even if that mean you don't use services fashion dictates to be used to be a cool developer.
Frankly, I see nothing cool in GitHub. Just a Moloch swallowing all your code in one single place, with all the associated risks.