thanks you for the hints, seem to have missed MFA on Openwrt SSH & LuCi while searching yesterday.
While the RTC/NTP requirement is bad for problems with internet connectivity that can be avoided by only using 2fa if accessed from the internet interface and skipping it when accessed from local interface