Being able to validate credentials via the public facing website without MFA was a considerable problem as well. Also not locking down accounts after failed attempted logins.

Wifi with 802.1X and certs would have been fine here without MFA.