The root account has the most privilege/access of any account, and should therefore be the most protected account. Enabling MFA mitigates much of the possibility of account compromise as both the password and the MFA device would need to be compromised at once for the account to be compromised. Hardware MFA is preferred as it is more difficult to compromise than a virtual MFA device.