I currently use BW along with MFA through Azure/MS Authenticator. It requires an MFA request when connecting from an unknown browser but not when connecting from a known device. This is convenient but comes with the risk that a malicious or unsecure device could become approved and compromise a user’s passwords with no way of anybody knowing.
A nice feature would be the ability to require MFA authentication on every vault unlock (perhaps by sending an approval push notification to the mobile app). That way, if a user does something silly like approve the PC at their local library the risk is still minimal since a potential attacker still wouldn’t be able to get past the MFA request.
Having device approvals expire over time and require re-approval could also be helpful on this front.