Seeing as phishing is getting more popular and users are becoming less concerned about security, I am trying to come up with a solution for a new site of mine that can stop phishers. For instance, any one can create a new site that looks exactly like Gmail and phish users to it in order to obtain their UN/PW.
However, what if we made the user pick their subdomain at registration? They can only login on this subdomain, ie. mysubdomainchoice.domain.com. Now when the phisher gets the credentials from an innocent user, he no longer knows where he can apply them. After several invalid login attempts we can safely lockout the user and have them change their un/pw if they come to their correct subdomain and answer their security questions.
Is this a valid way of defending against phishing and have others thought of this before?