(FIrst, let me say the recent force-on of "security code" for all admins, including those not using it, was not well received by our admin team. It's a truly awful implementation, made worse by being suddenly "there".)
The "security code" is NOT not not 2FA. It is a constant password, created by the user, using a complex/different set of restrictions, and worse it's only a part of that password. But it is still ONLY another static password. Thus, the user is tempted to write it down.
2FA involves a second bit of DYNAMIC and TIMELY info ONLY that user can have, normally obtained via a DIFFERENT channel/path. The security code meets none of these parameters. Any of many well known 2FA apps and/or methods can work well.
We have admins worldwide. By definition, they have online access. However, if you're thinking of requiring something like the Google Authenticator, I need to query our team as to whether they are all able to use it.
I can tell you from experience: it is going to be important to have the ability to DISABLE 2FA, at least temporarily, at least for diagnostic purposes. Requiring 2FA at all times can be a real headache in various recovery and emergency situations.