Yes that is using delegated authentication via a SAML identity provider that supports MFA like DUO. Totally viable, the easiest way out.
Another way is to write custom middleware for ROR Kibana.
Another way is to write/provision a reverse proxy that implements MFA and use it as proxyAuth.