[tczMUFlmoNk]

I think this means:

1. You go to evil.example.com, which uses this flow.

2. It prompts you to enter your email. You do so, and you receive a code.

3. You enter the code at evil.example.com.

4. But actually what the evil backend did was automated a login attempt to, like, Shopify or some other site that also uses this pattern. You entered their code on evil.example.com. Now the evil backend has authenticated to Shopify or whatever as you.

[bscphil]

The site is comparing this method to plain username + password though. Doesn't that miss the obvious point that evil.example.com could do the exact same thing with the username + password method, except it's even easier to phish because they just get your username + password directly (when you type them in) and then an attacker can log in as you via a real browser?

[druskacik]

evil.example.com can be a legitimate-looking website (e.g. a new tool a person might want to try). If it has a login with email code, it can try to get the code from a different website (e.g. aforementioned Shopify).

For the username + password hack to work, the evil.example.com would have to look like Shopify, which is definitely more suspicious than if it's just a random legitimate-looking website.