Great question, Let me give you some initial information, and then depending on additional questions yu may have, and / or other posts, follow up as needed.
Multi-Factor Authentication (MFA) is discussed as part of NIST 800-171 compliance under requirement #3.5.3 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
There are two broad approaches to incorporate MFA:
Out-of-Band (OOB) (e.g., accept an alert on an app on your phone, receive a call or text message with a One-Time Password (OTP))
Cryptographic Tokens (e.g., digital certificate, YubiKey, etc...)
A company may have to incorporate more than one type of MFA to comply with NIST 800-171, since many businesses operate in a hybrid environment where some of their data is stored locally and some is hosted in the cloud, complicating the architecture and compliance solutions.
For companies with everything on-site and an Active Directory (AD) domain, digital certificates would be the most painless and seamless way to incorporate MFA.
However, that is generally not an option with most cloud providers, so OOB MFA solutions have to be considered for those environments.
Determining the "best fit" MFA technology solution comes down to two things:
#1 - Know what your Controlled Unclassified Information (CUI) is
#2 - Once you know where your CUI is, know where your CUI is stored, transmitted and processed so you can segment it off from non-CUI data to minimize compliance scope
Having said all of that, some websites and documents that may prove to be helpful:
Please let me know if that points you in the right direction, and / or if you have any further questions that you want to discuss as you move through deciding n a solution.
Good Luck !!!