Token-based authentication uses physical or software tokens generating one-time passwords — hardware tokens (RSA SecurID), soft tokens (smartphone apps), smart cards, FIDO2 keys.
Hardware tokens are the gold standard for remote admin access — they can't be SIM-swapped or phished (FIDO2 keys are phishing-resistant). Smart cards provide both authentication and digital signing capabilities.