He could have had 2fa on his console account but saved an access key for CLI access. Many large organizations have an infrastructure where you exchange your corporate authentication (including 2FA) for a short lived AWS access key, but AFAIK this isn’t out of the box.
This seems incredibly clunky and most people are probably not doing something that involves typing the ARN of their MFA device on a day to day basis. To be tenable on a daily basis you need something like “aws login” with username, password, and code that sets up your credentials file correctly. Expect people to copy and paste values around, and you’ve already lost.
Not to mention legacy code that only knows about access key ID and secret, and doesn’t have a place to even put a token.
