Two-factor does not protect against phishing attempts.
The fake website can ask for two-factor input and man-in-the-middle proxy this to the attacked website. These techniques have been used by the phishers for the last decade or so. Asking more two-factor codes e.g. Once at login and once at withdrawal helps, but the impact is not significant and also brings down the overall UX.
The fake website can ask for two-factor input and man-in-the-middle proxy this to the attacked website. These techniques have been used by the phishers for the last decade or so. Asking more two-factor codes e.g. Once at login and once at withdrawal helps, but the impact is not significant and also brings down the overall UX.