
Honest question. Why is SSH key rotation any better than, say, having to change passwords periodically? Cannot an intruder with one key leverage it to get the next one and keep going?
As for requiring physical interaction to smart cards, has consideration been made to the frequency by which these interactions would be necessary, to probe at the risk of click fatigue resulting in the development of bypasses?