Do you get such pushback over the need for MFA, or more generally for the use of roles, or something else?
MFA seems like an essential defense-in-depth measure to ensure that a compromise of the locally held IAM key is not enough on its own to compromise your AWS account.
It's just the workflow. Mfa is fine with passwords and console, but everyone has been educated to understand once they have a iam key saved on a disk its no longer correct to have.
Maybe that's because AWS' own aws-cli setup encourages you to store these credentials on disk in plaintext in a standard-named file in your home directory, and their best story for temporary roles is to invoke `aws sts get-session-token` and copy paste values from the JSON output to env vars.
It's really disappointed that aws-cli doesn't easily support this type of workflow, when using MFA and setting up multiple AWS accounts with cross-account roles are two things recommended as security best practices by AWS themselves.
Don't get me started on how you can only have a single U2F key attached to your root user.
I agree with that being a major part of the problem.
Regarding root, I always create an account with a console login that can remove the root user mfa or reset a password, it becomes the recovery account and I can put its own key on it, and ideally never gets used once tested.
MFA seems like an essential defense-in-depth measure to ensure that a compromise of the locally held IAM key is not enough on its own to compromise your AWS account.