Which isn't even that bad of an idea. Some website basically use this as the only way to log in.

Slack does this exceptionally well. If you forget which accounts you have, you can put in an email address and it will email you a list of your Slack accounts. If you forget your password, you can get a magic link that automatically signs in through a deep link into the app, no password needed.

It's such a cool idea. If you can reset your password using only your email, there's no security reason you can't just log in with it. It might even be better, since you can then add more annoying steps to the password reset strategy.

But Slack then must rely on the security of your email. If the site is dealing with sensitive information like credit cards, this could be a no go.

Any site that has a "enter your email for a reset link" feature relies on your email security.

Almost every website in existence except the most security sensitive like bank websites will allow you to reset your password with email.

What email based log in that doesn't use 2FA doesn't ultimately rely on the security of your email?

Indeed. On sites I have to register but know I won't go frequently I enter a random password I don't even write down, relying on the Forgot password feature if I ever need to come back later.

I have wondered if some web pages effectively have this as the main log in method. If you have a hurricane tracking page, everyone is going to forget their passwords in between hurricane seasons.

Steam has nearly done this for me.

Oh, it has a password. But if I remember my password I have to check my email and copy and paste a code from there. And if I forget my password I have to... check my email and copy and paste a code from there... really not much point to the password.

Bulb energy supplier in the UK trialled this - they soon switched due to complaints although I didn't really mind it.

Assume it was due to the inconvenience of not being able to remember password/stay signed in.

Yahoo Japan (not really related to the defunct original Yahoo and still very successful in Japan) recently abolished passwords for new accounts.

You can only login with reset emails or SMS codes, which is pretty annoying.

I wondered about this too and asked about it on the security stackexchange forum in case I was overlooking some glaringly obvious reason not to. Turns out that most thought it was reasonable too, though maybe too frustrating for some.

https://security.stackexchange.com/q/12828/8518

I've seen Blendle and a couple of other web sites do this.

You go to the login page, and your choices are federated login, standard login, or a one-time login e-mail.

medium.com is famous for email OTP authentication. They even blogged about it (search hacker news for more information)

In India, most mobile apps have phone number for username and OTP instead of password. Makes perfect sense for mobile apps. Except when OTP doesn't arrive due to congested sms networks. Or that your account gets hacked with sim takeover or sms MitM (both are currently unheard of in India).

I think you just jinxed it.

It is one way to go "passwordless" .. though you're piggy backing on the security that your email system already has.

Shameless plug of old post that describes how to restrict login to only the initiator even if login is initiated via an email link - http://sriku.org/blog/2017/04/29/forget-password/

You're relying on your email security either way, since anyone can trigger the password reset email if they get access to your email account.

This breaks my workflow -- I almost never open the forgot-password email on the same machine I used to initiate the request. Usually I need to briefly access a personal account from somebody else's computer or my work computer, and when I'm told I need to check my personal email, I only want to open that on my phone.