While this will work a very large proportion of the time, and has a big benefit of offloading security as you mention, email is fundamentally asynchronous and can be affected by issues outside of your (and the email providers') control.

Another point that UX designers might make is that this solution necessarily takes users away from your site to complete login, and that can introduce a place for users to drop off. I'm not sure it's that significant, but I've heard it used as an argument.

> email is fundamentally asynchronous

Yes, but this affects your recovery attempts as well, today email is basically instantaneous for most people.

> this solution necessarily takes users away from your site to complete login

This is probably the biggest reason to avoid this solution, but I still like it over other options.

Passwords can already universally be recovered through email. I wish ALL sites had this feature. It's essentially a one time password, that expires.

Exactly. The only password that really matters is the one for your email. Everything else just provides additional attack vectors.

That only works for services that do not store any sensitive data and employ costumer controller encryption, if your password is used as a cryptographic tool then it’s out of the question to use such mechanism.

Then how would you be able to reset your password? All I'm saying is that any service that allows password resets shouldn't have passwords at all.

Whatsapp has figured out a solution to this problem. i.e. what is your Whatsapp password?

Your telephone number. So instead of something you know (password), they use something you have (phone).

Yeah, but be careful never to use an email that you might lose access to (which in principle, could be any email).

What's the difference? They'll just recover your passwords either way. Secure your email password, use two factor authentication. Now you're more secure than just about any website you're using.

Well, for example if you're a student and you have you@your.edu, you might lose access to that account after you graduate.

And providers like GMail can ban your account without warning or recovery options.

Same issue applies if you forget your password to any site.

How does that deal with email providers that follow all links with their virus scanner? (many corp emails...)

Usually these credentials are one-time usage.

"Click to continue" Javascript on the landing page, IME. Or a time-based limit, which seems more user-friendly: if you close the tab you can reopen it or go back to your email.

I'd guess however any service that requires account confirmation to work.

This sounds like a solved problem, though I don't really know.

Not everyone as solved it. It is an actual issue that people have.

No I mean that seeing how widespread click-to-confirm emails are I'd think there are best practices for how to implement them to avoid fake clicks. Whether those ideas are followed by everyone is another story, but all the pitfalls that people are pointing out apply in one way or another to the password system as well.

You could also remove that customer pain point by auto-verifying them without checking their email for the very first time they login, and it would expire after they close their browser or 1 hour, whatever comes first.

It's really no less secure than allowing someone to sign up with an email / password and let them in without first confirming their email address.

I also do this with websites I make. It is a little inconvenient, but it's worth it, assuming the person logging in as a secure way to access their email (2 factor auth).

It is a lot inconvenient, given the various and myriad issues with guaranteeing email deliverability. Multiple hosting providers use greylisting or something like it which can delay email by minutes to hours, depending on the behavior of the sending mail server. Almost all hosting providers use one or more layers of spam filtration which can incorrectly trap or dispose of your message. Many users have additional mailbox rules set up which may accidentally match your message and route it to an unexpected folder. Relatively small mistakes with things like SPF can further complicate deliverability. You may also use some popular mail delivery service or another, which means that when that service has a bad customer that annoys enough other system administrators, the entire service gets blackballed, your messages along with it. (Hi, SendGrid.)

DigitalOcean's two-factor authentication used email, and email only, which several times caused us some headaches when there was an urgent issue and our person-in-charge couldn't access the account.

I've had a system administrator role for multiple companies over almost 15 years now. I've yet to see a perfectly reliable email system.

Doing password resets over email is one thing (though I think SMS is still better). At that point, the individual no longer has access to their account anyway, and you're dealing with a much smaller number of impacted users. It's much worse to throw up your hands and say, "I don't want to deal with passwords, let's use email", especially now that there are so many good password-handling libraries for so many different development environments and numerous articles on proper password handling.

Can you expand on your preference for SMS password resets to email password resets? As a user I prefer email, but I'm biased by the fact that I used email for a decade before I had SMS and I've had a malicious actor gain control of my phone number and receive SMS on it but never had the same with email.

Sure, it's basically just down to those problems with email deliverability. As you correctly point out, SMS isn't a perfectly secure solution either; however, I almost always receive an SMS for authentication within a few seconds to a minute, and only in a few cases have never received the message at all.

If text messages were abused to the degree that email is, and all kinds of different things were developed to try to "solve" that abuse (as has happened with email), then deliverability would suffer and it would be a coin toss for which approach to use.

Would you please elaborate how someone took over your phone & sms? This is my nightmare..

But as others have said either way email is an attack vector because it's often used for account recovery, this way at least it's a lot clearer who is in charge of security, it's the user and the email provider (whether they like it or not).

The only thing that implies security is an airgapped (even that is debatable) or powered off computer.