@yogthos sigh... give workers FIDO tokens and upgrade your shit to use WebAuthn, problem solved. Notice how the phishing SMS messages prayed on the obnoxiousness of institutional password policies, so they seemed legit.