I blame SAML and any other federated login being an "enterprise only" feature on most platforms.

So users get used to sharing passwords between multiple accounts and no centralised authority for login. This causes the "hey what's your password? I need to quickly fix this thing" culture in smaller companies which should never be a thing in the first place.

If users knew the IT department would never need their passwords and 2FA codes they would never give them out, the reason they give them out is because at some point in the past that was a learned behaviour.

Ugh, or being able to generate an API/service token. It just ingrains the bad passwords and password sharing if you have to use passwords everywhere.

Well, push based 2fa with "select this number on your 2fa device" helps prevent some vectors. Simple totp doesn't do that.

"Never give your totp or one time code over the phone" is good advice.

"Never give info to someone who called you, call them back on the official number" is another.

This is user error at this point.

I disagree. Specially again that companies are centralizing on a couple 2FA companies (like Okta from TFA), this is just ripe for phishing. Okta itself is terrible at this; they don't consistently use the okta.com domain, so users are at a loss and have basically no protection against impersonators.

For okta, if it is set up properly, the user should get push notifications. And in that push notification is a number they need to select to validate the push.

This eliminates credential phishing and "notification exhaustion" where a user just clicks "ok" on an auth request by a bad actor.

As much as I advocate for non cloud services, what okta provides is very secure.