That’s not true anymore. https://docs.fcc.gov/public/attachments/FCC-19-72A1.pdf
That’s not true anymore. https://docs.fcc.gov/public/attachments/FCC-19-72A1.pdf
It’s only bad practice if you don’t keep up on vulnerabilities/patching, don’t have any type of monitoring or ability to detect a potential breach, etc.
The nice thing about tucking everything behind a VPN is you only have one attack surface to really worry about.
No, OP is completely correct. It’s all down to how the company configures their MFA, but MS MFA will definitely show you a two-digit number on the system you initiated the auth on, and force you to type that on your Authenticator app.
I work with a vendor that has this setup and do this every day when accessing their systems.
Thankfully my own company doesn’t have the type a number stuff turned on.