Rebex Tiny SFTP Server supports two kinds of authentication:
- password-based authentication
- key-based authentication
These are only supported as alternatives - a client can present either a valid password or a valid key. Authentication requiring both the password and the key is not supported at the moment.
Based on your description, it looks like clients might be connecting using a password only. If you wish to only allow key-based authentication, set the password to a sufficiently long random value and don't use it with any of your SFTP clients.