In general it’s preferred to have good SSO with MFA. I can do this alreaby for example by using mod_auth_openidc in apache.
The biggest problem in general with adding MFA is always the API and/or third party apps using that. DevOps engineers sometimes have an app on their phone to quickky view / get alerts on criticals.
Looking at other tools, the possiblity of API tokens often allows for the rollout of SSO and/or MFA.