1. 6

  2. 2

    I think this is a net positive for overall security if this is used for appropriately low-security sites, because it doesn’t let someone use their single password on a number of sites. I use a password manager so it’s no problem to have many accounts, each with their own secure password, but this would be a big step up for someone who uses “123456” as their password on every website and can understand receiving an email. Observations of this implementation:

    • The sessions expire in an hour, so session replay attacks are of limited value.

    • It would be more secure if it checked the requesting IP address against the activating IP address.

    • The email account, as aways, is still the SPOF.