I was gonna argue that you can fix this but I realized that you’re right. It’s a MITM attack where there’s really no way to stop it, same as passwords. It’s basically the same feature (sign in in a different browser) that also lets attackers in.

That said, here’s how I would mitigate it:

- Like usual, time based limits on the code - Code is valid only for the initiating session, requiring the attacker to create a paper trail to phish

If you do have a magic link & want to use code as backup for authenticating a different device/browser, you could:

- Compare IP and/or session cookie between the initiating and confirming window. On match, offer login button. On mismatch, show the code and a warning stating how it’s different, eg ”You are signing in a different device or browser, initiated from $os $browser in $city, $country, $ip - $t minutes ago.”

It’s not perfect though and may still be prone to phishing.