I got annoyed enough at licensing/feature/packaging debacles with Teleport and Vault that I wrote my own little SSH CA in https://github.com/pkern/sshca. It uses SSH as authentication to deal certificates for SSH, going full circle. But if you want to have short-lived no touch authentication based of a touch-based authentication event it is something you could use. Sadly I needed to write a client to handle the details, but other products would also have needed one.