Stronger MFA relies on asymmetric key cryptography. This protects from phishing attacks.
In fact in NIST- SP-800-63-3 NIST sets requirements to cryptographic authenticators such as PIV/CAC, FIDO U2F authenticators, or FIDO2/WebAuthN.
Those are fancy two dollar words to mean a different channel for your authentication mechanism that is always encrypted.
People can't social engineer the encrypted token because the user don't know it