On the flip side, some companies have gone to extremes. I now have to MFA and provide a pin-code to authenticate. I have to do this several times a day. It's fucking mind-boggling how I can get anything done in a day when I spend so much time verifying who I am. I'm waiting for the next innovation...require a drop of my blood to log in.
Why is that extreme? I have to provide a pin code using MFA to my bank to authenticate, and their sessions are a lot shorter than your average developer or operator session.
And their actions impact far more than just my own account. Is it inconvenient? Yes. Does it work? Yes. Is it perfect? No, absolutely not but it is a useful layer in the cake.
Requiring a user to MFA once per day per device is normal for a work account - but that's already a lot compared to services like gmail.
After all, workers are mostly working in an access-controlled office or their private home; and your endpoint protection will be ensuring they're connecting from a company-issued laptop and that they have screen lock on a timer and a strong password.
I'm already validating something-they-know (FDE password) and something-they-know (OS password) and something-they-know (SSO system password) and something-they-have (company laptop). And once a day I'm validating another something-they-have (TOTP code/Yubikey).
Asking people to provide the second something-they-have several times a day seems like security theatre to me.