I think this is a net positive for overall security if this is used for appropriately low-security sites, because it doesn’t let someone use their single password on a number of sites. I use a password manager so it’s no problem to have many accounts, each with their own secure password, but this would be a big step up for someone who uses “123456” as their password on every website and can understand receiving an email. Observations of this implementation:
The sessions expire in an hour, so session replay attacks are of limited value.
It would be more secure if it checked the requesting IP address against the activating IP address.
The email account, as aways, is still the SPOF.