Self-Provisioning-the gift that keeps giving
If your MFA rollout is based on self-provisioning, it may have intrinsic vulnerabilities.
According to Mandiant, Hackers exploited this to gain access to a Microsoft Azure Account, here is the link: https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft.
The ease of “Passwordless” Authentication has been enthusiastically promulgated especially for Smartphone users which usually involves biometric self-enrolment, but using the Smartphone as the client and having the same Smartphone as the means for Authentication cannot really claim to be “Multi-factor”.