Two factor authentication using password and public Key

[kavyamahakala]

We have a SFTP Server which uses both password and publicKey for authentication on Bitvise. Our SftpClient is using jsch 0.2.19. We have incorporated addIdentity and set password on our session. We have also implemented UserInfo, UIKeyboardInteractive in our SFTPUserInfo class, and set the the session with user info as follows:
session.setUserInfo(new SFTPUserInfo(username, password, passphrase);
In our code, the preferredAuthentications we mentioned are publickey,password,keyboard-interactive

After these changes, we have used a Bitvise SSH Server to check the authentication that's happening. We notice that public key is being used to authenticate, only in the case that public key is invalid, it falls back to password (We think this ordering is due to the order of our preferredAuthentications). Our expectation is that at all times both public key and password are used for two factor authentication.
Is there anything we are missing here to have two factor authentication working?

[Alex-Vol-Amz]

This is a server side configuration issue. The server should be enforcing that both password and public key are successful, not the client.

I do not know how Bitvise configuration works with multiple methods. But OpenSSH works like this:

sshd_config

AuthenticationMethods publickey,password

Require public key followed by password, both successful

sshd_config

AuthenticationMethods publickey password

Require one of public key or password successful. The combinations can be more complex and allows for multiple list of combinatorial authentication mehtods.

Example from OpenSSH man page

 AuthenticationMethods
         Specifies the authentication methods that must be successfully completed for a
         user to be granted access.  This option must be followed by one or more comma-
         separated lists of authentication method names, or by the single string “any”
         to indicate the default behaviour of accepting any single authentication
         method.  if the default is overridden, then successful authentication requires
         completion of every method in at least one of these lists.

         For example, an argument of “publickey,password publickey,keyboard-interactive”
         would require the user to complete public key authentication, followed by
         either password or keyboard interactive authentication.  Only methods that are
         next in one or more lists are offered at each stage, so for this example, it
         would not be possible to attempt password or keyboard-interactive authentica‐
         tion before public key.

         For keyboard interactive authentication it is also possible to restrict authen‐
         tication to a specific device by appending a colon followed by the device iden‐
         tifier “bsdauth”, “pam”, or “skey”, depending on the server configuration.  For
         example, “keyboard-interactive:bsdauth” would restrict keyboard interactive
         authentication to the “bsdauth” device.

         If the “publickey” method is listed more than once, sshd(8) verifies that keys
         that have been used successfully are not reused for subsequent authentications.
         For example, an AuthenticationMethods of “publickey,publickey” will require
         successful authentication using two different public keys.

         This option will yield a fatal error if enabled if protocol 1 is also enabled.
         Note that each authentication method listed should also be explicitly enabled
         in the configuration.  The default “any” is not to require multiple authentica‐
         tion; successful completion of a single authentication method is sufficient.