[paxys]

> This is, in fact, how all of our infrastructure is secured at Fly.io; specifically, we get everything behind an IdP (in our case: Google’s) and have it require phishing-proof MFA.

Every system is only as secure as its weakest link. If the company's CEO is idiotic enough to pull credentials from 1Password and manually copy-past them on a random website whose domain does not match the service that issued it, what is to say they won't do the same for an MFA token?

[roblabla]

They literally explain in the article they're using FIDO MFA that is phishing proof as the key authenticates the website (it's not your run-of-the-mill sms 2FA, it's using WebAuthn to talk to your MFA).

With this setup, you can't fuck up.

[akerl_]

FIDO2 won’t send an authentication to a fake site, no matter what the human does.

That’s what makes it phishing-resistant.

[parliament32]

Passkeys are called "phishing-resistant" because (when properly implemented) it's impossible for users to fuck up. They literally cannot be phished into giving an adversary their credentials, no matter what they click or what they do.

[tptacek]

The. whole. point. of. phishing-resistant. MFA. is. that. you. can't. do. the. same. thing.