If you are on a path of
the one with the most accounts in their org wins
you might have gotten tired running to the safe to fetch that key generating magismo, everytime you provision an account.
We decided that we didn't need the excercise, and fat & lazy is part of the BOFH role, so we hooked up a rather cute solution to the problem.
Then you configure TOTP as a thing.
For everytime you hookup an account, once you've generated a password and signed into the account,
add a virtual MFA device, and
vault write its key into vault.
Whenever you need to login as root
vault read the totp code.
We don't even keep the t3.something-cheap running, and don't care if it and its volume snuff's it, since the actual stash is in s3.
That way you can keep chair-butt disconnects to a bare minimum.