Stronger MFA relies on asymmetric key cryptography. This protects from phishing attacks.

In fact in NIST- SP-800-63-3 NIST sets requirements to cryptographic authenticators such as PIV/CAC, FIDO U2F authenticators, or FIDO2/WebAuthN.

Those are fancy two dollar words to mean a different channel for your authentication mechanism that is always encrypted.

People can't social engineer the encrypted token because the user don't know it