Public key authentication is even better, of course. A non-standard port helps too. It sounds like SSH certificates would be better yet, but I don’t know much about them.
I have a spare Pi; I just ordered a couple of YubiKeys and the TRNG to give this a try.