Enable 2fa Access to ECP Admins only. Access will be denied to non administrators.
If you have not already done so, please refer to links below on DualShield Server and IIS agent setup.
Install DualShield Authentication Server
Also:
Create an ECP Admins group in AD and make your ECP Administrator accounts members of this group
1) DualShield Server Configuration for ECP Access