I guess this flow is even worse for authenticators like Duo or even Apple’s own iCloud logins with 2fa. You log on to a phishing site mimicking the real one, and your phone asks if it is you trying to log in. Yes of course it’s you logging in, but you don’t realize you’re logging in bad guys by proxy.

The prompts that show where the login is coming from are useless, too, because mapping from IP addresses to geographical locations is far from perfect. For example, my legit login attempts showed me all over my country map. If I’m in a corporate VPN already, its exit nodes may also be all over the map, and your legitimate login from, say, Germany may present itself as coming from Cyprus, which is shady as fuck.

If I seek to implement 2fa for my own service and have it be not theater and resistant to such phishing attacks, it gets difficult real fast.