If you can force authentication via both private key and a password, then you're authenticating via both "something you have" (the key), and "something you know" (the password). Having a passphrase on the key protects access to the key, but it doesn't provide any additional levels of authentication to the (remote) system that is requesting authentication — after all, the user could have removed the passphrase from the key file, there's no way for the remote system to know.

Unfortunately, there doesn't seem to be a way to require both a key and a passphrase to be entered. There may be a way to do it with some (custom?) pam configuration/modules, but as far as I know, nothing in sshd itself.

Different issue. It is definitely best practice to use a long passphrase to protect every secret key, this is off topic.

What I meant was, you connect to the SSH server and authenticate cryptographically (use passphrase locally when prompted) - then you also need a logon + password for the SSH server to complete the authentication. This would reject the internet noise banging on the port, but impose a 2 factor test.