[tpxl]

1. Input username/password -> get email otp code.

2. Forget password -> get email for new password -> input username/new password -> get email otp code.

The only actual security factor here is your [email, email password], everything else is just silly rigamarole.

[tzs]

Note that by doing it that way they don't have to have a special case for handling input of username/password when that password is a new password. Making security critical code simpler is generally a good idea.

Whether it is worth annoying some users in the password reset case to avoid making the login code slightly more complicated is going to depend on your specific situation.

[runeb]

I read their point as why have passwords at all when the security is you having access to your email account.