Yes you are right. The normal Shopify plans do allow the setting up of the Two-step Authentication, but it's more on a voluntary basis. As an Admin or Owner of the store, you would be able to see the sign-up status for each Staff (Click on each individual name and check for Two-step Authentication).
For them to sign up, ask them to log in via accounts.shopify.com
Being on Plus will give you the additional benefit of "enforcing it". This means they will have to have Two-step Authentication active before logging in to your store.
And as noted in your question, if you want all staff (assuming you have more than 15, which is the limit of Advanced Shopify, you would need to consider Shopify Plus).
Alternatively, since you have a Brick and Mortar Store, having Shopify POS Pro would also give you the benefit of managing their permission access. By default, having access to Shopify POS does not mean the staff has access to Shopify's admin backend, so in a way, that is secured.
That means if you can define which staff would actually have the need to access the Shopify Backend, and just enforce the Two-step Authentication unto them.
All of our staff need to have Two-Step Authentication.
My other 2 admins were able to set-up Two-Step, but I don't see that option for the associates/cashiers? When I try to set up one of the cashiers with a Shopify ID as you have suggested the system defaults to "free trial account". Can only Admins have a Shopify ID?