[ivewonyoung]

> why don't they ask for the 2nd factor first, and password second? Sounds like it would make it much harder to spoof.

How? First off if it's a TOTP without a notification the fake website can just ignore the TOTP input and always say it's correct and move to collecting your password. If it's a notification type 2FA, when you go to the fake site it can request a login with your username in the background which will send you a notification, you will enter the 2FA code and then password which the attacker will login with.

[semi-extrinsic]

> when you go to the fake site it can request a login with your username in the background which will send you a notification, you will enter the 2FA code and then password which the attacker will login with.

You're right, hadn't thought of this. But I wish there was a better way to verify that the login prompt is genuine, today it seems almost arbitrarily hard to be 100% sure of this.

[ivewonyoung]

The only way is a two way communication between the computer you're logging in with and the 2FA device. So that the computer can tell the device which website is requesting it, and the 2FA device will respond only if the website matches the website that the 2FA was originally registered with. Or have the totp key encrypted with the correct website url, so only the correct URL can decrypt it.

This is essentially what happens with a YubiKey so it's phishing resistant. It also happens with a passkey but thats just one factor since a unlocked stolen PC can login. For a smartphone as second you can probably have a similar setup by requiring a bluetooth or USB connection between the laptop/pc and the smartphone, but it comes with its own disadvantages. Can also work with QR codes I guess, but with the browser generating it from URL, not the site.

[semi-extrinsic]

Yeah, I should just go ahead and get a Yubikey already. Thanks for taking the time to answer.