I disagree. Specially again that companies are centralizing on a couple 2FA companies (like Okta from TFA), this is just ripe for phishing. Okta itself is terrible at this; they don't consistently use the okta.com domain, so users are at a loss and have basically no protection against impersonators.
For okta, if it is set up properly, the user should get push notifications. And in that push notification is a number they need to select to validate the push.
This eliminates credential phishing and "notification exhaustion" where a user just clicks "ok" on an auth request by a bad actor.
As much as I advocate for non cloud services, what okta provides is very secure.
"Never give your totp or one time code over the phone" is good advice.
"Never give info to someone who called you, call them back on the official number" is another.
This is user error at this point.