Our security team has asked us to implement MFA on bitbucket, which we have done on the from end via a SAML/SSO plugin, however, the actual git methods to access the repos still is only single factor via SSH keys and Personal Access tokens.  I understand that this is generally a limitation on git functionality and so does my IT folks.

However, the issue with the SSH leys and PATs is that they are unlimited duration and should they be compromised, there is nothing that at least expires their value after some point of time.  It ould be nice to be able to have a feature that would allow some type of PAT expiration policy(s) be assigned on the system that would force the renewal by users of these tokens.  Probably based on a configured number of days for example.