alt Hacker News> This is, in fact, how all of our infrastructure is secured at Fly.io; specifically, we get everything behind an IdP (in our case: Google’s) and have it require phishing-proof MFA.
Every system is only as secure as its weakest link. If the company's CEO is idiotic enough to pull credentials from 1Password and manually copy-past them on a random website whose domain does not match the service that issued it, what is to say they won't do the same for an MFA token?
Replies
They literally explain in the article they're using FIDO MFA that is phishing proof as the key authenticates the website (it's not your run-of-the-mill sms 2FA, it's using WebAuthn to talk to your MFA).
With this setup, you can't fuck up.
The. whole. point. of. phishing-resistant. MFA. is. that. you. can't. do. the. same. thing.
FIDO2 won’t send an authentication to a fake site, no matter what the human does.
That’s what makes it phishing-resistant.