You could reduce it to a single hardware security key without a password and it would be more secure. The problem—in this case and in general—is using passwords and OTPs for anti-phishing; with a hardware key, there is no way for the phishers to gain access to the account (without being in the room or in possession of the key), even if they successfully convince their victim to log in.
There are scams where they tell the user to do stuff themselves even as far as to tell the victim to take all of the money out and deposit it in a bitcoin account
This might not be sufficient. We need 4FA or, better, 5FA.