[efortis]

Yes, MFA with a click-link mitigates it. But a pastable token wouldn't.

https://en.wikipedia.org/wiki/Multi-factor_authentication