[mdg12v]

Does not 2fa mean that user will not be redirected out until verification code is entered? I think article needs more clarification. Can you show where phishing atack is possible in the following scenario?: 1. Open login page 2. Enter credentials (step 1) 3. Enter verification code (step 2) 4. Authenticate, redirect.

[joskvw]

If you enter google.com in your browser and login, unless you misspelled the domain and that didn't get flagged by anything, you'll be fine. If a relative that doesn't know much about tech gets a text/email asking them to login to their bank but the site linked is b4nk0f4m3r1c4.com, that phishing site could replay the entered credentials into the real site to login.