How is it different from plain old password?

1) User goes to BAD website and enter credentials

2) BAD website use GOOD website to check if credential is valid

3) Pwned

It is just MITM attack. The moment you go to BAD and enter credential (password or one time code) you are done.