You know the little text message you get when logging into a site where you have two-factor authentication enabled?

Apparently, that’s something HTML can fetch straight from a message app and use to autocomplete a numeric/password input that has the autocomplete="one-time-code" attribute on it.