Say for some odd reason you end up on a phishing site pretending to be AlphaBay. Now say they have configured their server to create a session with AlphaBay once you connect with them, so that the captcha they show you is the same one that AlphaBay generates, and you send the result through them to AlphaBay. Now they have your password, but you are left with PGP authentication. But all they have to do is send you what they are fetching from AlphaBay, and send it to you, so that AlphaBay receives your authenticated message, and now this malicious site has your session. Say you continue to use this site and happen to input your PIN, now this malicious site can just withdraw all your coins. I don't see how 2-FA is really doing anything here. Can someone help me out? It seems to just create the illusion of protection, or making it only slightly harder for phishing sites to steal your money.
AlphaBay sends you an encrypted message with your public key, though.
Phishing site doesn't have your public key(?)