No. The assertion is that it does fail to provide a benefit in practical, real-world cases, but defends against a fairly niche attack.
There's a reason that 'tptacek called it "security theater". Its implementors could better spend that time on actual security measures for things that are much more likely to happen...like defense in depth for credential leaking.
There's a reason that 'tptacek called it "security theater". Its implementors could better spend that time on actual security measures for things that are much more likely to happen...like defense in depth for credential leaking.