Using 2FA to prevent phishing...
Multifactor authentication currently only helps to prevent unauthorized access to a system, but I believe a small change in how login and MFA is implemented it can help prevent phishing scams as well.
What I suggest is the following:
- The login process should be changed, where only the username is statically loaded on the login pages and the password field is loaded dynamically later
- Once the username is submitted, a message in the line of “If your username is in the database, an OTP has been sent to your email/mobile”, this way it cannot be used to enumerate valid users
- Once the OTP has been submitted the password field must load dynamically and the user can log in.
This way you can be verified before entering the password. This will prevent users from entering their passwords on a spoofed site as they will know something is up if the password field is presented before 2FA is performed.