While normally I would agree wholeheartedly with this, in this very instance I see meaningless abstraction in service of justifying consumer harm. The phishing TTPs outlined in the article can be mitigated with hardware keys, and the places in the corporate network where they must be part of auth workflows can be identified. There are people whose job this is in corporate networks of all levels of piecemeal quagmires. T-Mobile probably has people working on this now.

I don't disagree that yubikeys are effective but even sms 2fa could have been effective! This is missing the forest for the trees. Even then, what if it wasn't credential harvesting but a download for an infostealer? Then even yubikeys are ineffective due to cookie theft.

You have many many best practices, have a good email protection service/sandbox-detonation, MFA, detection+monitoring after the fact, CAP so threat actors can't just login from any random IP or device, threat hunting, user training,etc... these are all things a good security program should be doing to create the most hostile environment for a threat actor.

People had the same frustrating MFA argument on HN with Uber when it was hacked but long after the news story hype died down it was revealed that the TA got a contractors' creds via infostealer malware. Access to corporate networks is a common trade item in certain forums.

In this case mfa of any kind, cap and url-rewriting email security service are all layers of defense that could have caught this before impact.