You can now enable Multi Factor Authentication (MFA) capabilities for your users using AWS Client VPN and Active Directory. Enterprises can now create a second layer of defense by prompting the user for additional factor, such as verifying a push notification or an email OTP.

from Recent Announcements https://aws.amazon.com/about-aws/whats-new/2019/09/aws-client-vpn-now-supports-multi-factor-authentication-for-active-directory/