While more secure than ordinary push 2fa, users that don't read the hostname could still be phished. Domain matching 2FA solves this problem by replacing the number with a domain. Let's take a look at this in action. Here are a couple of notes: Domains should vary: using 1 domain may cause users to simply remember and re-enter that domain (it is possible to implement a similar approach with 1 doma