Not all MFA is Equal
Yes Multifactor Authentication always provides greater protection than simple a username and a password but the mechanisms exist on a scale.
For most small businesses enabling MFA will be enough. Others who handle sensitive data maybe required to use more stringent MFA that is resistant to Phishing attacks
Take phone calls are SMS messages. These are vulnerable to hacking and aren't allowed on Federal systems. My university, on less secure data, allows SMS authentication
These are called shared secrets, like one time passwords, and they are vulnerable to phishing