It is possible to use the LOCAL database/user accounts on the ASA in conjunction with Duo MFA, however you will have to install a Duo Authentication Proxy.  Without the Duo Authentication Proxy, Duo MFA has no means of being invoked.

Here is how to do it (I'm only including configurations that are specific to making LOCAL+DUO work - other configurations are required for AnyConnect but are omitted).

ASA CONFIGURATION:
1: You will have to configure a new aaa-server specifying a RADIUS connection to your Duo Auth Proxy.

aaa-server Duo-Auth-Proxy protocol radius
aaa-server Duo-Auth-Proxy host <w.x.y.z>
 timeout 30
 key *****
 authentication-port 1888
 accounting-port 1889

2: You will need to configure your tunnel-group with a 'secondary-authentication' referencing your Duo Auth Proxy aaa-server configured in step 1.  By default the 'primary authentication' method will be against your LOCAL user account database.  This will be the locally configured user accounts on the ASA.  If you run the command <show run all tunnel-group> you will see the <authentication-server-group LOCAL> configuration line.

tunnel-group Testing_Local_and_Duo_Auth type remote-access
tunnel-group Testing_Local_and_Duo_Auth general-attributes
 address-pool testing_pool
 secondary-authentication-server-group Duo-Auth-Proxy
tunnel-group Testing_Local_and_Duo_Auth webvpn-attributes
 group-alias testing_alias enable

3: Of course, you will have your locally configured accounts configured on the ASA.

username testinguser2 password ***** encrypted
username testinguser1 password ***** encrypted

DUO AUTH PROXY CONFIGURATION:

Within the Duo Auth Proxy, you can configure a 'Radius Duo Only' configuration where only Duo MFA will be invoked for the authenticating user account.  Typically, the Duo Auth Proxy Radius configuration will verify credentials against a primary identity source (AD) and then prompt/verify via the Duo Cloud for the 2nd factor.  In this case, your primary identity source is the locally configured account on the ASA, so on the Auth Proxy you want to skip the check against the primary identity source and only prompt the 2nd factor.

[radius_server_duo_only]
ikey=<enter-your-ikey>
skey=<enter-your-skey>
api_host=<enter-your-apihost>
radius_ip_1=<w.x.y.z>
radius_secret_1=<enter-your-radius-secret>
port=1888
client=duo_only_client

 DUO CLOUD CONFIGURATION:
You will need to configure a Radius protected application in your Duo Admin Panel.  This is where you will obtain the ikey, skey, and api_host values you will use in your Duo Auth Proxy configuration.  Additionally, you will need to manually (or via bulk import) add the ASA locally configured user accounts (using the same name) to your Duo Cloud.  These accounts will need to enroll their 2nd factor device (typically a smart phone).

OPERATION:

When a user tries to log into the tunnel-group you've configured with a 'secondary-authentication' you will have an AnyConnect login prompt requesting two usernames and two passwords.  The first set of username/password will be to authenticate against the locally configured username/password in the ASA.  The second set of username/password will be sent to the Duo Auth Proxy.  The username must match the Duo user account username you specified in your Duo Cloud during user creation.  Enrollment for this username/account will need to be complete.  The secondary password field will either be the Duo passcode the user acquired through their 2nd factor device or a string/text for the Duo 2nd factor prompt they wish to use for MFA ('push', 'phone', 'sms').

Please reference this Duo documentation:
https://duo.com/docs/radius-duo-only