This. This is the only thing that actually solves all warts of authentication nowadays. Companies really should switch to a webauthn-first mindset. The technology has been here for over a decade, it's not new. There is a standrad and a library for every language, it's not hard. FIDO2 keys start at 20 bucks and every android phone can act as one, it's not expensive. They are literally the only thing that can actually protect you from phishing and they generate new login creds per domain, protecting your privacy. Companies, support webauthn!