[GuidoW]

The failure mode of TOTP, SMS is that the user needs to be sure to be connected to the correct site.

The hidden assumption is that the use is able to distinguish the fake from the correct site.

For any authentication system to work in the face of adversaries trying to confuse a user, the system needs to be robust against that.

https://eccentric-authentication.nl/blog/2014/11/30/spot-the...

https://eccentric-authentication.nl/blog/2016/11/18/on-the-i...

[em-bee]

true, 2FA prevents against people pretending to be you trying to log into the site, but not against sites pretending to be the site you want to access.