Push based, sure. Allowing SMS, I still hold, undermines all of this.

They "secure" this behind password which you entered to trigger the SMS push in the first place.

Offering an "out" to a more secure flow means your secure flow may as well not exist.

Additionally, phishing a pushed OTP is not really much harder since you can trigger the push and then just have the user finish off the flow for you, provided they don't read the IP or whatever you display them (they won't, they think they're signing in), effectively the same as a TOTP.