Has anyone invented something like the TLS three-way handshake, or a U2F challenge, that can use spoken words as a transport layer? People could then be "safely" tricked into reading back "correct-horse-battery-staple" or whatever, because they actually wouldn't have the ability to generate a usable sequence unless the attacker first provided something that only the real site owner could provide.

I'm imagining something with the non-phishability of U2F but the usability of an SMS 6-digit code. Maybe that's U2F.