For Three Rings, we've implemented (TOTP-based) MFA support into our Secrets Store (basically a charity's password safe). Naturally, for this to work, the organisation has to choose to share their MFA secret with us, weakening security to gain convenience (the convenience of being able to choose which of their volunteers can access the resulting TOTP keys, under what circumstances - e.g. requiring 2FA or a fixed physical location - and that it be logged). In this case, it felt like the right balancing point. Where a charity has e.g. a social media account with access shared between multiple users but those users are forced to share the same set of credentials, we'd rather that the charity enabled 2FA on their account (even if the only practical way to do so was to use a secret sharing system like ours) than felt unable to enable it. TOTP 2FA is really powerful as a security tool. So much so, that even weakening it by sharing the secret still leaves its authentication system significantly stronger than if it weren't enabled. So yes, I'm with you! (This is, of course, contingent on the MFA being correctly-implemented on the third-party system, of course. Last year for example I found a vulnerability in the web systems of a major UK mobile network that allowed an attacker to trivially bypass the second factor. 🤦)