[huggingmouth]

Sure, but then you can't call it mfa.

[itsdrewmiller]

"password or email" is one factor and "code generator" or sms or whatever is the other factor.

[RamblingCTO]

Of course you can: password + email access = two factors = multi-factor

[NoZebra120vClip]

> Of course you can: password + email access = two factors = multi-factor

No, you're resetting an unknown password, bypassing one of those factors.

[RamblingCTO]

Hm, that's true. I'd say it's not good 2fa, but it is 2fa tho. Matter of definitions.

[em-bee]

2fa means BOTH factors are needed. the situation you are discussing here is not password and email but password or email. either one would work.

i have seen services that send a token to your email every time you log in or when you log in on a new device or when you haven't logged in in a long time. that would indeed be a form of 2FA. but these services also allow you to reset the password through email, so it's not exactly 2FA all the time like most other 2FA setups.