Phishing-resistant 2FA is the way I reckon. I think this was included in the Zero Trust Architecture being pushed hard by the US Government post-colonial pipeline debacle.