Origin-bound codes & Web OTP codes [1] are interesting initiatives, but platform adoption has been poor. For example, it still isn't possible to use Web OTP in Chrome on MacOS from a Chrome Web app on iOS. The communication isn't there yet.
And for what it's worth - origin bound OTP codes aren't _strongly_ bound - there isn't anything physically stopping someone from typing that short 6 digit code into a phishing site. Compare with a Magic Link token - you're much less likely to take `https://example.com?token=some-long-uuid` and manually enter that code somewhere else.
