I’d disagree
Yeah, because you probably never had an outage caused by a typo in the router configuration. The moment a critical (core) networking device relies on an external service for authentication you’re screwed if things go south.
securing the change points is more important than securing the end points
The change points are already secured by the fact that only a handful of people have access to them. These people are expected to have proper training which prevents them from typing the router access credentials into random forms of shoddy websites too. If they don’t then you have a MUCH bigger problem than anything that you can solve by MFA.
Heh, almost as if you described your run-of-the-mill SME networks 
And that problem is people
All of the worse cases you detailed revolve around people.
Code review and process address mistakes. Like before you begin a switch update schedule a switch restart. That way if you screw up you wait X minutes without committing your changes to memory.
And that problem is people
Feel free to come up with a solution that eliminates the people (the costliest element) from the process. You’d make a fortune if you’d achieve that.
All of the worse cases you detailed revolve around people.
They are the source of all problems, I know. If only you could deal away with them…
Code review and process address mistakes.
That’s all fine and should be in place, but that doesn’t say anything about what happens if all hell breaks loose. Let me give you a different example then: what if a networking device fails? You’re screwed if idiotic security policies prevent you from logging in to mitigate the problem.
Like before you begin a switch update schedule a switch restart.
And if it doesn’t come back up before you even begin the upgrade? And besides, I meant configuration changes. Firmware updates rarely require configuration changes, the addition of new devices to the network does however.
We’re going to disagree and that’s ok. Arguments can always be made for different perspectives.
Everything breaks eventually and everyone makes mistakes sometimes.
Our cyber insurance required MFA on control interfaces so that’s what we do. The cost of security is expensive because it’s worth it.
Document, detail, prices and testing are how we try to avoid the pain
Fine, if the management of the company you work at thinks that keeping their sysadmins/network admins miserable and suicidal in case network problems arise is okay that’s their call. Hopefully they won’t mind said people leaving after a couple networking incidents too…
