MFA to initiate a remote connection

Got a question on behalf of a consultant company we use, and I've struggled to find a solution with them

Our consultant company uses RDM to connect to our systemand several of their other clients.

Our insurance now requires MFA for any remote connections no exceptions. This means that the 3 generic accounts we created for the consultant corp needs a different solution. At first we issued accounts with DUO mfa and its works fine for the handful of regular consultants we have. The issue is one off users or when issues get escalated to their corp SMEs. Having to create an account for every one off user at each ticket request just really is not workable long term; especially when timezones are 7 hrs apart. We trust the consultant company enough that any of their employees, we trust to gain access to our system.

What are some other options to satisfy the mfa requirement but without the tedious management of individual external accounts?
In my head I can imagine a generic account tied to a rotating key, that can be viewed on the client by any of their users.