Is it a prompt when you login to "text 123456 to 555-444-3333" and wouldn't that be pretty trivial to forge to appear to be coming from the account owner's phone (if you knew its phone number)?
I mean specifically OATH TOTP—nothing involving SMS. In this threat model, an attacker would not have a phone number or email address for the target—only a username and their stolen password (from a breach).
Is it a prompt when you login to "text 123456 to 555-444-3333" and wouldn't that be pretty trivial to forge to appear to be coming from the account owner's phone (if you knew its phone number)?