Regarding Nextcloud security you are welcome to follow this guide How to maintain, check and improve the security of your Nextcloud installation
@bb77 good points. we don’t have #ssh and OS access covered in the above guide, would you mind adding your valuable input there? or maybe create another “low level” Wiki regarding server security?
in case you have shell access I would recommend using MFA for admin accounts as well and in case of issues reset/remove MFA using occ command. single-factor authentication with strong password (20+ char) is likely “secure enough” for private installation as the chance is low somebody will run brute-force attack on your server but still MFA is far more secure than simple password - and your definitely should secure your admin accounts better than user accounts.
One should always have backup for your MFA. you could have different MFA methods enabled TOTP on your phone (one can print QR code and store it safely offline) and FIDO key so you still can login if one method fails… same recommendation applies for every user - admin and regular accounts.