Currently an account cannot use both two-factor authentication and SSO simultaneously. This means:
1) Any account using SSO has an insecure owner login (as it cannot use SSO and with SSO enabled cannot use two-factor auth)
2) Any account using two-factor auth has insecure shared user accounts or cannot share access

It is important for the owner account to be able to login without SSO, just in case anything goes wrong with this configuration. However having SSO enabled should not prevent the owner account from being able to use two-factor and therefore be as secure as possible.