No, OP is completely correct. It’s all down to how the company configures their MFA, but MS MFA will definitely show you a two-digit number on the system you initiated the auth on, and force you to type that on your Authenticator app.

I work with a vendor that has this setup and do this every day when accessing their systems.

Thankfully my own company doesn’t have the type a number stuff turned on.

That’s not true anymore. https://docs.fcc.gov/public/attachments/FCC-19-72A1.pdf

It’s only bad practice if you don’t keep up on vulnerabilities/patching, don’t have any type of monitoring or ability to detect a potential breach, etc.

The nice thing about tucking everything behind a VPN is you only have one attack surface to really worry about.

I moved from technical, to management, did that for around 4 years and decided that was enough. Switched jobs (also probably way overdue at that time) to a senior network engineer, left after a year and became a network architect. I’ve done that for a few employers ever since and generally love it.

I just do this for money, I care about my work of course, but end of the day I want to shut down and forget about it. My current role lets me do that pretty easily.

Being in management that long might make it harder, unfortunately. But I’d totally recommend trying to pivot to an architect role if you have the skills.