It's clever but I wouldn't use it. First the user experience of going from one channel (web) to another (email) isn't very natural but the second and biggest reason is that it turns an email account into a central authority to access my other accounts from.
Some say email is already like that but it isn't with services using two factor authentication.
I don't think there is an easy and intuitive way to get rid of passwords without involving some sort of physical component that stays on yourself.
What is your workflow that this would be any more difficult? The first time you sign up for a service you almost always have to do this anyway for confirmation. If you then select the "Remember me" path, your primary computer is whitelisted and you don't have to do the round-trip.
Due to "Forgot my password" workflows email is already a central authority. If you have two factor auth set up for your email account then you're already pretty well protected and having each and every service use a different two-factor method provides diminishing returns in security.
The funny thing about this proposal is that it is exactly the way my non-technical family members use every service. They don't bother with passwords they just use reset links every time. They don't have to remember anything and it's a common workflow.
> What is your workflow that this would be any more difficult? The first time you sign up for a service you almost always have to do this anyway for confirmation. If you then select the "Remember me" path, your primary computer is whitelisted and you don't have to do the round-trip.
This assumes one (or n) devices that belong to you. I typically have to log into multiple services using a large amount of computers for work. In my use case this would be tremendously annoying whereas two factor I can simply log in like normal and type in the code from my phone's app.
> If you have two factor auth set up for your email account then you're already pretty well protected and having each and every service use a different two-factor method provides diminishing returns in security.
I disagree; it prevents someone from getting into my email due to a vulnerability and then being able to get into every other service I'm connected to. Each service I use would, ideally, have two factor (though I obviously do not think two factor is perfect but it's better right now than most alternatives in my opinion).
Interesting, it's clear that in your use case it would be more of a hassle, but in response to the second point it seems you're ok with the hassle of two factor authentication for many services.
I guess whatever the scenario 2-factor + email round trip is more of a hassle than 2-factor + password.
"The funny thing about this proposal is that it is exactly the way my non-technical family members use every service."
+1 to that. My non-technical family and friends do the same.
I spent a month experimenting with this approach myself vs using LastPass. It was actually pretty comfortable - easier than 2 part auth - excepting that sometimes the forgot password links were difficult to find.
You don't have to do that. Persona is pluggable, and what looks like your email address isn't, really. For example, I made a third-party authentication platform that you can use to authenticate, instead of your email provider: https://www.persowna.net/
Sure, 2-factor auth (by its very nature) prevents sign-in from a single source, but 2FA is an additional layer of security on top of passwords, NOT a reason why email isn't already a central way to bypass password security.
To put it another way: This article describes logging in to a service via an email sent to your account. Every major service already has this in-place via the use of the "forgot password" link; if I have access to your email account, I can already log into any service which sends a reset link to your inbox.
2-factor auth is great as an additional layer of security on top of either this method or the traditional password method, so why not just remove the additional vulnerability of permitting logins via passwords stored everywhere else on the internet, too?
> To put it another way: This article describes logging in to a service via an email sent to your account. Every major service already has this in-place via the use of the "forgot password" link; if I have access to your email account, I can already log into any service which sends a reset link to your inbox.
Except with two factor authentication you can't simply reset your password via email and login. It's not perfect but services using two factor authentication prevents email from being a completely centralized way of authentication. I at least like that aspect of it.
Some say email is already like that but it isn't with services using two factor authentication.
I don't think there is an easy and intuitive way to get rid of passwords without involving some sort of physical component that stays on yourself.