I believe you are missing the point. There are many ways to improve security and lock down any device manually. The point is that if your going to set the ssh pass automatically to the user entered password a user would reasonably expect you would also set two factor authentication once enabled as well. I’m speaking to the onboarding process and not whats possible for savvy users but something that would benefit users without that knowledge. Because it only takes “5 minutes and a few steps” is exactly why i’m calling it out as a potential improvement to the OS.
Following your logic, why would one have two factor at all? One would be even less likely to open port 80 over clear text where the two factor actually happens. My point is only that if your going to have two factor authentication enabled then enable it wherever you are authenticating and you will at the very least be meeting a baseline of user expectation.