Duende IdentityServer itself doesn’t implement multi-factor authentication (MFA). MFA is part of the login process in the user interface which is the responsibility of the hosting application. Microsoft provides some general guidelines on how to enable MFA in ASP.NET Core.
An IdentityServer implementation can include MFA in its login page using anything that works with ASP.NET Core. One approach is to use ASP.NET Identity’s MFA support.
When using IdentityServer as a federation gateway, interactive users authenticate at the upstream provider. Typically the upstream provider will perform the entire user authentication process, including any MFA required. There’s no special configuration or implementation needed in IdentityServer in this case, as the upstream provider handles everything.