[GordonS]

Hmm, it "feels" insecure to me, but thinking on it, I'm not sure why, especially since most email is web-based these days, and pretty much all the rest goes over encrypted IMAP/POP/Exchange.

What concerns do you have?

[shafyy]

For one, if an attacker has access to your email, they also can log in to all your accounts where you used e-mail based login.

[arubania2]

That is also true for every password-based account without 2FA by means of password reset.

Plus, having someone access your email account means you're pwned anyway - they can see your sensitive documents that were received / sent as attachments, they can read recent conversations and phish information, maybe even ask for a downpayment, etc.

So the basic rule should be: don't lose access to your email.

That doesn't mean that email-based login is good, just that IMO this point is kind of moot.

Also, do email-based login flows allow 2FA?

[shafyy]

Yes, you're very pwned if somebody has access to your email account. But less pwned than if they can also access all your other accounts directly at the same time =)

Of course, combining email-based login with another factor makes it more secure again, I was just talking about one factor.

[prash_murali21]

Agree with this. I don't see why you cannot add 2FA to email based login flows.

[GordonS]

This is true of any non-physical authentication factor, so is your view that a second factor should always be "something you have"?

As, what about web-based email systems that enforce 2FA? Isn't that a good mitigation?

Any other issues you see? (genuinely just curious, I don't mean to needle you :)

[pelagicAustral]

There is none. I implemented passwordless on an app a few months back and a few weeks ago it passed a CHECK pentest with no flaws detected or expected in auth. It’s basically asking the user to reset their password every time, which is much safer than having them using “123456” as their password.

I use Sendgrid to send the email and have had no issues with the service so far.