I don't understand your example.

> 2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”

Does that mean that GOOD must be a 3rd party identity provider like Facebook, Apple, Google etc?

They don't have to actually be a 3rd party identity provider, just the user has to find it plausible that they might offer 3rd party login. Which, to be honest, pretty much any big or even medium-sized tech company might be doing these days.

No, BAD just inserts your email address on GOOD’s login page which sends you the login code, and they lie to prime you into thinking it’s not suspicious that the email came from someone other than BAD.

When you insert the login code on BAD, BAD uses it to finish the login process on GOOD that they started “on your behalf”.

BAD is lying about GOOD and presenting GOOD's legitimate service as a mere IdP for BAD, such that the user provides their code for GOOD to BAD so that the latter can then automatically log into GOOD.

BAD assumes:

1. you got login credentials at GOOD

2. you're using the same email address there

They then tell you GOOD will send you a code that you have to enter on their website.

Then they enter your Email on GOOD and request a reset, which sends a mail with a code to you.

You then enter the code on their website.

Now that they have the code they can enter it on GOOD and they have your account.

This attack technique is called "real time phishing". If you need a diagram or a more detailed explanation, look it up

There are sites that send you immediately a 6 digit code just by entering your email on their sign in page, they don’t even request a password. That means you could be phished on a fake website that when you enter your email there they do it on the real site, then you receive the real good code and enter it on the fake site.