Most MFA solutions are vulnerable to attack because there is a real challenge handling enrollment and lost tokens. It requires verification of the user, which guess what? Hard to do especially with remote users.