It is possible to log into the administration area of an organization by e-mail (self-hosted). It is sufficient to have access to the e-mail address and click on the sent link. In my opinion, the admin area can do a lot of damage by deleting users, for example.
Our admin login is linked to a shared mailbox (sysadmins) so that administration of Bitwarden does not depend on a single person (it could be the person in charge is getting sick, absence, dismissal, death, …). If a person leaves our company, their mailbox is deactivated. The company has no access to it and has a strict policy in this regard.
Therefore I would like to have a kind of 2FA. For example, a series of codes that can be printed out and safely stored. If someone wants to log in, he must first enter a code from this list to get the mail sent.
How do you handle this in your company?