Some providers (looking at you, Intuit) don't seem to understand TWO factor authentication and will allow someone to bypass your password if they can intercept the SMS or email, and treat it as a normal login.
4. Someone says "take the password reset flow, trigger it automatically when a user tries to log in and has only given their email, hide the password field during login, and after the email is validated drop the user back to their previous journey instead of having them set a new password"
5. You see #4 as #3 failing, but when #3 was never applied it's not quite that. Aside: making #3 mandatory would be smart.
It's Intuit's normal login flow. Enter username and it then says enter password or click here and we'll text/e-mail you a code. Ironically, if you use a password it will often text you a 2FA code.
1. Introduce passwords
2. Introduce email-based reset flow
3. Introduce 2FA (optional)
4. Someone says "take the password reset flow, trigger it automatically when a user tries to log in and has only given their email, hide the password field during login, and after the email is validated drop the user back to their previous journey instead of having them set a new password"
5. You see #4 as #3 failing, but when #3 was never applied it's not quite that. Aside: making #3 mandatory would be smart.