I'm glad you have a portable device which you can use to access your email. Not every user does.
But you're right. Please use and implement candy security structures.
I feel like you didn't read anything I've written. You haven't even addressed my main point, you just came in here and spewed FUD about this solution without really discussing anything.
Well, I think we are talking about two completely different points and, per your past response, that nothing I've said really makes sense to you. Of course I think the solution is useful from a UX perspective, it's awesome. But from a security point of view you are leaving all the security out in a single layer and whenever that layer (single email address) fails, then there's nothing left.
>How is it not helping? Now you have all your accounts requiring two-factor auth to log in, rather than just some of them. You also only have one server to secure, which will presumably be run by people whose sole job is to secure that server.
Yes, you are left with only one server to secure, and yes it is most likely run by people who are good at it. But this is exactly why it's a good example of candy security: As soon as you get past the first wall, there is nothing else stopping you from getting access to everything. And you can't really presume all users will have double auth activated, nor that they will be as cautious with that single set of credentials will be.
I think it is less secure because it centralizes all the security in one single layer. AKA the email address you are using to handle the credentials. Once you have access to that email, then you have access to everything. Contrary to what happens now that at least raises more flags when your accounts start getting password changes, etc.