I was not suggesting SMS 2FA when I referred to "Smartphone-based solution". I meant relying on Secure Enclave or alike on the smartphone as the second factor in a challenge-response fashion that makes the "OTP" bound to a specific domain and thus unphishable.