One time passwords raise the bar, but as services like this become more and more common its clear that we have to move to WebAuthN/FIDO2. You might not think you’re a target but often the value is in the number of breached accounts not the individual account. https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/