From PCI-DSS point of view, are using SSH keys for passwordless authentication secure enough?
If your ssh service is open to the Internet, then you need two-factor authentication (8.3). This requirement applies to any account with access to any system on which cardholder data is present (except for accounts which only process transactions and only have access to the data they’re processing at that time). You should also have two-factor authentication on your internal network (8.2).
The ssh key counts only as one factor, (something you know) even if it has its own passphrase.
This requirement will be missed by an external scan since it can’t be tested for. But auditors who visit you on-site should look for it.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.