A succinct and to-the-point teardown of why 2FA (two-factor authentication) is beneficial for user verification by businesses, but terrible for preventing things like phishing attacks (because the fake site can simply make the valid requests on your behalf). In other words:
There is almost nothing you can do to authenticate that a site is legitimate.
Though, Terence does give one interesting suggestion: password managers. Already pretty much an industry-standard best practice for account protection, they make a valid point here that it also works as a filter for "approved" URLs. If your password manager only suggests auto-fill based on URL, it works as a sanity check for phishing sites too.