[abrookewood]

The root account should not be used to do anything except set up Admin accounts in IAM. That said, to ensure that the credentials aren't lost if someone leaves, what we do is save the QR code to an offline secure database (like KeePass) that is backed up regularly (e.g. on Dropbox). That way all the admins can use the same MFA account.

[gfisher]

That's an interesting idea, thanks. And I agree- we do not use the root accounts for anything. I'm much more concerned about the bus factor with physical key access.