While we're on this topic, why have some sites started refusing to prompt me for my password and instead are sending codes to my email. slack.com is a great example. It's like 2FA without the first factor.
It’s because the average person has so many passwords in various formats that they forget. But that person most likely has access to their email.
Instead of taking the user on a password reset journey, just shortcut to login.
The attack vector is restricted to email no matter what.