It should be much less than one in three, because the user doesn't get conditioned to "just tap one of the numbers and it goes away". The way to consistently dismiss the interruption is to tap the fourth button labelled something like "what, no, that wasn't me".
Yeah, good point. But I still think it's too much risk to place on a potential errant click.
(I have to admit I haven't used the UI in question, and I can't find a screenshot of it on Google Images. Maybe this is a lot safer than I'm imagining.)
I had it just today, it's slightly worse than I was remembering! The "Cancel" button is way less prominent.
Still, remember this is MFA - at least I'm pretty sure you can't have this as the only way to access your account. An attacker typically needs your password plus you to misclick here.
