Still lots of pitfalls with just MFA. Text/email being the worst and TOTP being somewhat better but not great. A lot of password vaults support storing the TOTP secret so they can generate time based codes which seems reasonable when the vault is 2-3 factor protected (some do IP heuristics, passwords, tokens, PINs, etc). Unfortunately if someone gets access to the vault in it's unencrypted state you're in for a world of hurt.
Even with hardware tokens, if someone gets access to your machine while you're using it they can wait til you authenticate then use the creds proxying requests through your machine so they look legit
From a couple years back, https://arstechnica.com/information-technology/2016/04/how-h... (the hackers got remote access to a sysadmins desktop then waited til he mounted TrueCrypt and stole the entire contents)
Even with hardware tokens, if someone gets access to your machine while you're using it they can wait til you authenticate then use the creds proxying requests through your machine so they look legit