If you need to add MFA to Strapi without writing custom code, you might try the HeadLockr plugin. It provides:

Admin-side MFA (so your administrators can enroll TOTP or other second factors)

Content-API MFA (so you can protect certain endpoints with a second factor)

Disclosure: I’m one of the contributors to HeadLockr. You can install it via npm/yarn, configure your preferred provider, and have MFA running in a few minutes. Hope this helps!