Changing the password or turning on two-factor will not remove activation lock from a device.
Normally, none of this discussion would be much of an issue. An iPhone with a passcode can't be accessed by anyone without the passcode. If it didn't have a passcode, it can be remotely locked as described in If your iPhone, iPad, or iPod touch is lost or stolen - Apple Support
Apple ID passwords are sometimes divulged after a device is stolen when the thief sends a message indicating the phone has been found. They send a link pretending to be Apple and if the owner responds and logs into a site that looks like Apple, they divulge their password and the thief then uses that to turn off Activation Lock.
But your original post stated "... we believe that the people that stole it may have a means to access it." I interpret that to mean it is someone known to the owner who may know the phone passcode. Given that, I would change the Apple ID password no matter what.
Two-factor authentication is always a good idea but simply changing the password is sufficient in most situations. However, it can stop someone who knows the password (e.g., from phishing).