Multi-factor authentication

Our enterprise direction is to add multi factor authentication, the first in scope are accounts with any admin privileges.

I see the addition of SAML has enabled SSO, but we are looking to add a token or token-pin layer to anyone in the admin role that authenticates through a service like LDAP or AD. I mention that because I think we need to keep a local, built in admin account with no MFA as a backup.