Can OP tell us how they implement one-time code email? Ever heard of PKCE flow applied to otp auth where there is a guarantee that the top flow can only be completed using the device/browser on which the user initiated the request?

Consider this scenarioUser initiates login on your site.

1. You generate a code_verifier (random) and a code_challenge = SHA256(code_verifier) and store the code_verifier in the browser session (e.g., local/session storage, secure cookie, etc.).

2. You send the code_challenge to the server along with the email address.

3. Server sends the email with a login code to the user, recording the challenge (associated with the email).

4. User receives the email and enters the code on the same device/session.

Client sends the code + code_verifier to the server. Server verifies: Code is correct. SHA256(code_verifier) == stored code_challenge.

The end result is that The code cannot be used from another device or browser unless that device/browser initiated the flow and has the code_verifier.

A combination of the above and a login link might help. But ultimately, the attacker will be relying on the gullibility of the user. The user will have to not check the urls

Assuming the bot knows to send a code_challenge and send the code_verifier together with the verification code

But then again, GOOD can just also ensure that their otp can only be completed from the GOOD domain/origin. That would shore things up at least.