Customers who want to get prompted with two-factor code while trying to access the server remotely will not get the authentication even though they might have selected the users "Agents requiring authentication".
Starting in VSA 9.4, the default setting is to replace KRC with RC in KLC. This is the reason you are able to Remote control even though the "Agent Remote Control Authentication" is set.
You can change this setting to NO but then you will still be able to bypass 2FA by simply opening KLC and remote controlling from there.
The recommended setting would be to leave this setting as YES and enabling 2FA for KRC and KLC. You can enable KLC 2FA by going to AuthAnvil> Manage Agent Groups > Open a group added in there and click the Advanced button (screenshot below).