VEVA uses the standard ASP.NET-Identity framework to handle users and roles. It is recommend that user/pass authentication is only used as a last resort.
VEVA has support for many authentication providers that should be used instead of a user/pass. Each authentication scheme is implemented in it's own veva-module that can be installed into any web-application.
By default, ASP.NET-Identity requires that passwords contain an uppercase character, lowercase character, a digit, and a non-alphanumeric character, this well documented can configured by needs in each installation of Veva CMS.
Users can setup Microsoft-MFA but as of now they are not forced to do so. MFA is handled by the Microsoft Authenticator mobile app.