Need to be able to ban/block the attacker not slow them down
That said the server side should be rate limiting repeated requests. Push codes were another idea from the room temp IQ set, probably the ones who were already butthurt about their idiotic SMS implementations being torn to shreds.
Most of this still comes down to implementation problems. Existing push authentication windows focus on mobile devices. They use tiny totifications that are hard to read, last only seconds, and rarely let the user go back and review missed alerts or change their response and revoke an accidental approval. They provide no channel to report a spamming attack, either to the service the request is for, your employers IT department, or law enforcement.
Apple and Google are about as bad in this regard, and all three seem content with the garbage they made because the other two are doing the same thing. All of this is the long shadow of SMS codes, which were literally only chosen because they wanted to force users to cough up a working mobile number.
Adding MITM protections to TOTP would have been easier and allowed offline authentication. Instead we built yet another standard and it has more problems than what it replaced.
Passkeys will help with this, but we need to make sure that stays open so we don't end up with another "you can use any SSO provider you want as long as it's Google or Azure" problem.
FIDO keys are also solid but have some rough edges in the user experience and almost nothing supports them currently.
I think we also need to force providers the require authentication to support an open and user controlled method. By that I mean that when I sign up for service X, I should be able to tell them what authentication methods to use. If I want TOPT, no security questions, and a FIDO keyring, that's what I should get. If someone else wants a public key and a push codes, and for their aunt Georgina to be able to reset their access, that should be what they get. Linux got 85% of the way there with PAM modules. Site operators should be able to define minimum standards and everyone should be required to use an upgrade-able security plugin that is separate from the underlying OS so flawed methods can be fixed, revoked, or replaced on the fly.