[GordonS]

This is true of any non-physical authentication factor, so is your view that a second factor should always be "something you have"?

As, what about web-based email systems that enforce 2FA? Isn't that a good mitigation?

Any other issues you see? (genuinely just curious, I don't mean to needle you :)

[pelagicAustral]

There is none. I implemented passwordless on an app a few months back and a few weeks ago it passed a CHECK pentest with no flaws detected or expected in auth. It’s basically asking the user to reset their password every time, which is much safer than having them using “123456” as their password.

I use Sendgrid to send the email and have had no issues with the service so far.