Forgotten password systems are supposed to use challenge questions to authenticate the user before resetting the password. (Of course, those same sites often provide a way to reset using challenge questions and without an e-mail confirmation, which is how celebrity accounts get compromised)
As do I. But I would love to see the stats on the active account (used by a real person) vs active account with 2-factor ratio on GMail. I'm willing to bet the takeup is fairly low.
As I mentioned elsewhere in the thread, I missed the password reset link point. I stand corrected.
Yeah, but you're not introducing a new failure point. Most services already let you reset your password - as long as you can click a link they send to you in an email.
If you reset the password the user would notice that he can't login next time.
If you steal&delete the email with the one-time login token the user won't notice, so there is a difference...
Sure, but you're missing the bigger picture- The point is to reduce the total number of passwords a user has to manage in general. The fewer passwords you have to remember, the more likely you are to protect those few 'root identity' accounts (by using a strong auth/password).
One assumes. I am not sure that that would be the case. I remember when my non-tech friends only had email and maybe MSN and their passwords were not secure in any way, even for the time. There is more awareness now, though, so maybe.
Except in that case you would know it got compromised.
If you reset someone else's password via email you would notice yourself when you want to login that your old password is not accepted anymore.
With these one-time auth tokens there is no way to know you got compromised, since sending another one-time token will 'just work'.
This would be great as part of a 2-factor scheme though.
Securing your email account can be done without 'only' using a password. I use 2 factor auth on my google accounts, for example.