Yeah, I feel that bit is just wrong, in three ways for me:

1. Like you, I never put credentials into links from emails that I didn’t trigger/wasn’t expecting. This is a generally-sensible practise.

2. Updating 2FA credentials is nonsense. I don’t expect everyone to know this, this is the weakest of the three.

3. If my credentials don’t autofill due to origin mismatch, I am not filling it manually. Ever. I would instead, if I thought it genuine, go to their actual site and log in there, and then see nothing about what the phish claimed. I’ve heard people talking about companies using multiple origins for their login forms and how having to deal with that undermines this aspect, but for myself I don’t believe I’ve ever seen that, not even once. It’s definitely not common, and origin-locked second factors should make that practice disappear altogether.

Now these three are not of equal strength. The second requires specific knowledge, and a phish could conceivably use something similar that isn’t such nonsense anyway. The first is a best practice that seems to require some discipline, so although everyone should do it, it is unfortunately not the strongest. But the third? When you’re using a password manager with autofill, that one should be absolutely robust. It protects you! You have to go out of your way to get phished!

> 2. Updating 2FA credentials is nonsense. I don’t expect everyone to know this, this is the weakest of the three.

The problem with this is that companies often send out legit emails saying things like "update your 2FA recovery methods". Most people don't know well enough how 2FA works to spot the difference.