You can do stuff with gssapi / kerberos. Or, if you consider that 2FA, you can use client certificates in addition to passwords. Interactive 2FA probably imo doesn't make that much sense for a database.
The "team secret sharing problem" usually refers to "how do we manage all the API and backend secrets we need to deploy and test a new instance, without having everyone shlepping them around on their dev laptops, and without ending up in a mode were the loss of one server equates to the loss of every instance in the environment."