Considering it is CRX Explorer where limited access (only admins) is required, what's the use case which requires you to set up MFA on CRX level? Generally MFA is for business users on AEM welcome page where they do not have access to CRX at all.
There should always be a back door entry. If anything goes wrong in MFA authentication how would admins be able to login to AEM CRX? Also, changing core login mechanism is highly risky.