That is also true for every password-based account without 2FA by means of password reset.
Plus, having someone access your email account means you're pwned anyway - they can see your sensitive documents that were received / sent as attachments, they can read recent conversations and phish information, maybe even ask for a downpayment, etc.
So the basic rule should be: don't lose access to your email.
That doesn't mean that email-based login is good, just that IMO this point is kind of moot.
Yes, you're very pwned if somebody has access to your email account. But less pwned than if they can also access all your other accounts directly at the same time =)
Of course, combining email-based login with another factor makes it more secure again, I was just talking about one factor.
There is none. I implemented passwordless on an app a few months back and a few weeks ago it passed a CHECK pentest with no flaws detected or expected in auth. It’s basically asking the user to reset their password every time, which is much safer than having them using “123456” as their password.
I use Sendgrid to send the email and have had no issues with the service so far.
Plus, having someone access your email account means you're pwned anyway - they can see your sensitive documents that were received / sent as attachments, they can read recent conversations and phish information, maybe even ask for a downpayment, etc.
So the basic rule should be: don't lose access to your email.
That doesn't mean that email-based login is good, just that IMO this point is kind of moot.
Also, do email-based login flows allow 2FA?