Many configuration guides for SSH server suggest eliminating the login with a username/password and replace it with a key. More and more I use this solution in my small home environment. A day on Twitter I have seen this tweet and I have made some tests with mutual TLS (or mTLS).
I find mTLS really helpful when you cannot use a VPN, for example on an enterprise pc or due to some firewall restriction. So you can protect your services with a certificate installed in a browser. This solution works only for sites that should only accessible for a few users.
With Traefik is simple to implement mutual TLS for all or only some services. On my Github repository, I have published a configuration example.