That assumes the recovery mechanism is definitely going to be a greater risk than phishing. In a corporate setting recovery could require intervention from IT support if alternative methods don't exist. That adds obscurity and natural rate limiting. Where as phishing could be as simple as a fake login page.
Another factor here is the number of logins that a user is required to perform. Anecdotally this seems much higher in a corporate setting than personal. I might login to Microsoft SSO 15+ times per day for different services. Signing in to apps on my phone is rare.
Another factor here is the number of logins that a user is required to perform. Anecdotally this seems much higher in a corporate setting than personal. I might login to Microsoft SSO 15+ times per day for different services. Signing in to apps on my phone is rare.