Its easy to fall into the trap of “of course its on the Internet, its secured” having a silent corollary of “its just an internal test app, don’t bother with security”.
The reality is, if it exists, it should be secure. If you allow people to be lulled into accepting bad SSL certificates and poor login on the test app, they will do accept it on the real app.
2-Factor authentication is not a material barrier. You can have push notifications (your phone buzzes and says, is that you logging in?). You can have Authenticator apps. You can have hardware devices like YubiKey or Google Titan.
If its worth having a login, its worth being secure. Look around your enterprise application inventory. Do any of them have internal password systems? Or are not 2-factor? Get them fixed. I’ll wait.
You want the login to look like below. Financial, Municipal, Industrial, it doesn’t matter. Its important.