To summarise Pat’s proposal, what happens is you go to wherever you want to log in, you fetch your username/password for that site from your IdP, encrypted using the public key for that site. That way, only the IdP and the site know the password. I’m pretty impressed that this can be done without modifying the WS-* protocols, but there’s still a little work left to be done…
In particular, we’re presumably going to be migrating to this from an existing login – in the process we should change the password from whatever phishable nastiness was in use to a nice strong, random password. Or one derived from a master password and the site’s name. Failure to do this would not improve the phishing situation.
Also, if we use the latter scheme, we can eliminate the IdP and do the whole thing locally, using the master password. This gives you portability (without worrying about the grander problem of porting all credentials) for free.
And, of course, this all needs to happen without much work or comprehension on the part of the user. But it’s definitely a step in the right direction!