This is something that the identity provider struggles with. Supporting additional authentication factors can help, although the newer active phishing attacks are causing issues. Certificates, kerberos and webauthn are inherently phishing resistant which mostly solves the problem if you can rely on or leverage them.
You can also do a form of device enrollment/tracking via a cookie. Since a phisher will not have that cookie, the user authentication experience can switch to be more robust. This also typically triggers a notification to the user that a new device or browser was seen.
You also have threat detection technologies outside of cookies, such as looking at IP address geolocation and doing time of flight analysis.
Thats all stuff the identity provider can do. From a user perspective today - check the address bar, and/or use a password manager.
You can also do a form of device enrollment/tracking via a cookie. Since a phisher will not have that cookie, the user authentication experience can switch to be more robust. This also typically triggers a notification to the user that a new device or browser was seen.
You also have threat detection technologies outside of cookies, such as looking at IP address geolocation and doing time of flight analysis.
Thats all stuff the identity provider can do. From a user perspective today - check the address bar, and/or use a password manager.