Not a strong defense, but it helps.

But it's also why sites that don't work well with a password manager are actively setting their users up to be phished.

Same with every site that uses sketchy domains, or worse redirects you to xyz.auth0.com to sign in.

Correct. The moral of the story is that hardware MFA and/or passkeys are a necessity in today's world. An infinitely complex password and 2FA are no match for attacks that leverage human psychology.

It's a strong defense that this guy decided not to use