You are.

There is no password in these new flows. They just ask for email or phone and send you a code.

Bad website only needs to ask for an email. It logs into Good with a bot using that email. Good sends you the code. You put the code in bad. Bad finishes the login with that code.

At no point in time is a password involved in these new flows. It's all email/txt + code.

Many sites work like this now. Resy comes to mind.