You can't reliably fix this as a website. You can try to resolve this on the client by using the websites origin as part of the 2FA challenge (which is what U2F does) but ultimately there's no good, universal solution for this.

It's also important to note that 2FA was never meant to solve phishing, it was meant to solve password reuse. Phishing is still pretty much unsolved.

useful tools to monitor "evil domains that look like yours"

https://github.com/UndeadSec/EvilURL - Generate unicode evil domains for IDN Homograph Attack and detect them.

https://github.com/elceef/dnstwist - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage

Then, either buy (if you can afford them all) or block them (don't serve your pages to these domains )

A website can hardly protect itself. User can. Any tool that validate URL on login page are safe (U2F keys or password manager).

Require use of U2F security keys for the second factor. The whole point of them is that they're unphishable.

From a blog post by the tool's author:

> One of such defenses I uncovered during testing is using javascript to check if window.location contains the legitimate domain. These detections may be easy or hard to spot and much harder to remove, if additional code obfuscation is involved.