The real problem is not having a (trusted) way of seeing what you are consenting to by entering a TOTP (which can be phished).

SMS-OTP, with all its downsides, allows attaching a message of who you're paying how much to the actual code.