Fair enough, I was being a bit hyperbolic. But, text message is out of the question because it relies on the end user to delete it. Otherwise if the device is compromised, it has the vpn client and password on the same device. Dictating a complex password can also be tough, especially when you are rolling out VPN access to dozens of people. Also, best practice is to renew passwords on a periodic basis. GlobalProtect simply doesn't have the capabilites to maintain best practice. I guess we will have to rely on MFA for every type of user.