A lot of OTPs are implemented in insecure ways - e.g. using the "recover password" functionalities you can often figure out patterns the websites are using to create these OTPs. Some websites / apps do not implement account lockout and OTP expiration mechanisms and have 3-digit codes, which allows for brute-force attacks. Others with these mechanisms can lead to DDoS. Also, some web apps log these OTPs directly in the URLs. In general, I agree with minitech in that WebAuthn with a physical factor would be better, both in terms of usability and security.