While the google cloud thing is a weird design, that seems like the wrong place to blame.

TOTP and SMS based 2FA are NOT designed to prevent phishing. If you care about phishing use yubikeys.