This is called MFA bombing. Just send prompts until the user accidentally accepts one.

Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.