We have reduced MFA again and use very strong passwords and good password managers protected by yubikeys instead. Many APIs are still accessible without MFA that could lead to data exfiltration anyway. The workaround for that to register privileged applications is not really too convincing and just not flexible enough.