1. Assign multiple user roles to Operator. Example: User Role (RO/SO/AO) & System Administrator 2. When the Operator tries to login, System to check if there are multiple roles, if yes prompt user to choose 3. Trigger 2FA if necessary.
No, that wouldn't work with the OOTB Pega permission design. Roles are additive. If you are an operator allowed to do RoleX and RoleY, you are allowed to do all the things possible for both. You can't say "only do RoleY" without removing the role from the operator. If there are specific actions or classes that you want to limit this sort of thing to, you could probably modify the applicable Rule-Access-Role-Obj records to use a when rule to determine if the operator has selected that permission, but you would have to manage the switching and the flag(s) yourself.
All of that is predicated on the assumption that the RARO checks the when rule each time permission is attempted and that we don't cache it somewhere or otherwise do something clever for performance, which is a real possibility .