It's just the workflow. Mfa is fine with passwords and console, but everyone has been educated to understand once they have a iam key saved on a disk its no longer correct to have.
Maybe that's because AWS' own aws-cli setup encourages you to store these credentials on disk in plaintext in a standard-named file in your home directory, and their best story for temporary roles is to invoke `aws sts get-session-token` and copy paste values from the JSON output to env vars.
It's really disappointed that aws-cli doesn't easily support this type of workflow, when using MFA and setting up multiple AWS accounts with cross-account roles are two things recommended as security best practices by AWS themselves.
Don't get me started on how you can only have a single U2F key attached to your root user.
I agree with that being a major part of the problem.
Regarding root, I always create an account with a console login that can remove the root user mfa or reset a password, it becomes the recovery account and I can put its own key on it, and ideally never gets used once tested.
