What you want to accomplish (as described) defeats the purpose of establishing identity assurance (e.g. that the person is who they say they are). Once a common mailbox is used, you no longer can guarantee that who accessed is the primary account owner.
My advice is that if e-mail will be used, you also provide alternative method(s) (e.g. SMS, OATH OTP, RADIUS, Smart Card, Phone Factor) to address the issue of not being able to reach the mailbox to satisfy an MFA challenge.
That being said, you can leverage additional attributes for MFA, and the help topic can be found here:
R.P