One of the flaws of that system was exactly that you didn't know which domains where allowed to issue the requests for a one-time key.

Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.

How would you use a paper ID online? (Securely, i.e. not the insane thing of taking a selfie holding it or something similarly bizarre in an age of powerful GenAI.)