This is already a thing but only if you don't have 2FA active. If you try to login on a new device/place you'll get a email to change your password.

Vast majority of the time the people getting phised are the ones who have massive holes in online security knowledge so unfortunately no matter how many layers of security you have the most vulnerable will still fall for it. Phising scams have evolved so much they can circumvent different types of 2FA pretty easily nowadays. And even worse, early FFXIV scams apparently even asked you to disable 2FA and people still fell for it.