A fully competent security team will, on the other hand, carry out a more comprehensive threat modelling exercise and make a pragmatic choice about whether this kind of auth flow is appropriate for your usecase.
The phishing risks for a bank account login are very different than those for a ‘returning player’ login to a casual gaming site for example.
