I am afraid that this flaw is present for almost all phishable methods (SMS, TOTP, email OTP, App Push) to certain extent (except passkeys, mtls)

"Click a link in the email" isn't much secure either for most part. You might end up following a link blindly which can lure you into revealing even more information

Passkeys aren't that great either cause almost everyone has to provide a account recovery flow which uses these same phishable methods.

The language in communication is probably the most important deterrent here, second to using signals in the flow to present more friction to the abuser. A simple check like presenting captcha like challenge to the user in case they are not authenticating from the same machine can go a long way to prevent these kind of attacks at scale