There are sites that send you immediately a 6 digit code just by entering your email on their sign in page, they don’t even request a password. That means you could be phished on a fake website that when you enter your email there they do it on the real site, then you receive the real good code and enter it on the fake site.
It is just the same old stuff with username & password combination. I used to duplicate websites, they looked exactly like the original, except I was storing the entered username and password combination. I did this when I was a kid. The process is the same (or very similar) with everything else that is not a password.
True, they do it to facilitate access to their site without a password, but personally I don’t like getting an email just because I entered my username to sign in (my password manager takes care of filling the form so that email with a code is unnecessary to me).
