Require multifactor authentication to establish non-local maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Bold Coast Security Guidance
There is no way to overstate the importance of employing multifactor authentication for all remote access connections. With the prevalence of easy-to-crack passwords, the sophistication of password cracking tools, which include aggregated password data from hundreds of breach events so that "password spraying" is usually successful at compromising user credentials, it is critical to require another user challenge after the username and password are entered. That challenge can be an SMS text message, a code-generator app, a phone call requiring a PIN code be entered, or a code-generating token.
The higher the risk of the authentication, the more control should be employed. Remote access connections present high inherent risk due to the fact that remote resources are accessible beyond the physical network you control.
DRAFT NIST SP 800-171 R2
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these non-local maintenance and diagnostic sessions reflect the network access requirements in IA.3.083.