[Ryoku]

Then a new and huge list of security problems arises when you have to bother the user with getting a new code every time if they have the sense of closing their browser and cleaning their cookies each time they close their browser (which could be as often as whenever they leave their computer); the fact that loosing control of a single email makes you lose control to the account in every site using this system, which beats the idea since that email is most likely password protected anyway; etc, etc.

In a nutshell: "In most cases you won't need to do this often" is a HUGE fallacy. It depends on the security rules you work/live by. Plus, it would make it really annoying to use if on top you're using TOR.

Yes, passwords need to be fixed. They are weak, problematic and a security cheddar cheese. It is why we are now implementing two factor authentication. Changing the "fixed password" strategy to a "random and time limited password" strategy isn't exactly solving more issues than it raises. Again, from a security-wise stand point.

May be if this was implemented with something different than your email. Like, for example, a bank tokens or cell phone verifications... which, again, are part of a two factor authentication because by themselves they would be too easy to break.

Think about the following scenario: You use X site with this email auth system and, for example, Thunderbird. Stand up and go to the bathroom or a meeting or whatever without locking your computer. Presto! I won't even need to guess a password and get access. Of course getting access to X site would be the least of your worries in that example, but it illustrates the point I'm trying to make.

[brent_noorda]

I don't think any security mechanism works if you walk away from your computer and leave the programs running (exception something that relies on a NFC on your wrist). For this reason I don't think your scenarious makes this scheme any less secure than what is use on standard sites. Maybe it's even more secure since even if they get access briefly, they cannot learn your password (since you don't have one), and so they cannot later log back on from a different computer.

[Ryoku]

It was just an example. My point is, by relaying all entrance control to an email, you are giving it master password access. The only thing you are doing is relaying the security issues to wherever that email is hosted; most of the times, a free and third party service over which you have no control. No, it is not more secure to keep your car, home and security box keys together.

You are not increasing security, whatsoever. You are setting all the security in an email service, which we already know are not the most secure services at this moment.

May be, such login can be applied inside a company's network, where you have control over the security of the servers, certificates, network encryption, etc.

Now if you think about it from a social engineering perspective. It is much easier to get access to a single email account than to every account you own. And about persistence of access... There's this thing called email forwarder. If I get access to your email, I would create a forwarder for all the email you receive to one I control; chances are you won't notice it in a long time.