TOTP are still phishable, the push notification includes information on where you're logging in from, so you at least have a chance to notice that the login is coming from Croatia and not your house.
Just because it's more secure doesn't mean I want to use it: it's poor UX, especially for those of us who don't carry a phone around 24/7. Even if you use FIDO or TOTP, it will always prioritise push notification and AFAIK you must enable push notification to use any other type of MFA.
Plus (unlike TOTP and FIDO), it's proprietary, making it harder to fit in my workflow. For instance, I can generate TOTP codes from my computer in order to seamlessly sign-in to services.
Any attack that can intercept TOTP codes (= some kind of MITM or local device compromise) can also request the unwanted actions with the IP of your device. All this does is prevent lazy attacks.
With Google Authenticator, there is no notification, is there? As a user, you have to open your phone, open the app, then scroll to the right code, and copy/paste it. (The lack of search in one of the reasons that made me switch to Aegis)
I always thought Okta was kind of weird, because it's just a notification that says "allow/deny" and it's easy to click the wrong one.
It's possible I'm confused by GP, but there's two things being discussed here I think:
First, Google Authenticator, which is in fact just totp which can be used for both Google 1p and any 3p TOTP thing. And second Google's push-notification based auth checks which are used for only certain 1P Google apps (like logging into your gmail or youtube).
TOTP are still phishable, the push notification includes information on where you're logging in from, so you at least have a chance to notice that the login is coming from Croatia and not your house.
FIDO is still vastly better though.