We use second factor via Azure AD. We authenticate Epicor with Azure Active Directory and forced second factor on there. So to login to Epicor if you are in our internal network it uses SSO, but if you are coming from anywhere external you need to authenticate against AD and provide your second factor, works great and right out of the box.
AppProxy is great approach that has already been recommended.
We wrote a portal that allows customers to access their data we did it via a Proxy on the DMZ which sits between them us and our network.
That server can only communicate with Epicor via port 443 (our Epicor server is not exposed directly) I covered this in more detail in a prior post… (let me look for it)
here you you
Which is basically similar to what AzureAppProxy does