WordPress core lacks 99% of the features built into Joomla, even basic security features like MFA. Admin Tools for WordPress does not have a 2FA / MFA feature. There are third party plugins for WordPress, as you said. You should indeed use them.
Regarding roles, Akeeba Backup offers optional roles if you want to allow someone who's not an Administrator to take, manage, or configure backups. By default, no user is assigned to those roles. Moreover, these are not login roles, i.e. you cannot have a user which only belongs to that role. You need to enforce 2FA / MFA to login roles.
It may help your mental model if you translate WordPress role = Joomla user group. They are not technically the same, but they are close enough in what they do to make this a valuable mental model for understanding access control in WP coming from Joomla.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!