Very short, badly written article. It can't even describe phishing correctly... ...

donatj · 2025-08-07T03:49:39 1754538579

You misread the short article.

It's about email as single factor auth, which has become very trendy of late. You just enter your email address, no password, and the email you a code. Access to your email is the only authentication.

pandorobo · 2025-08-07T03:53:00 1754538780

Clearly I didn't misread that. It's literally the very first bullet point?

Thorrez · 2025-08-07T07:50:35 1754553035

The first bullet point is "Enter an email address or phone number".

That's not MFA. MFA stands for multi-factor authentication. If the authentication only requires a code sent to an email OR phone number, that's just a single factor.

M95D · 2025-08-07T08:55:41 1754556941

But then, email always was the only authentication. On any site, click "forgot password" and promptly they send you a reset password link. Very few sites have a challenge question.

ClikeX · 2025-08-07T15:10:51 1754579451

Could be worse, I still sometimes get my password emailed in plain text by companies when I do that.

pandorobo · 2025-08-07T03:51:20 1754538680

The first bullet point mentions phone number.

- Enter an email address or phone number

Thats not just email, that's also SMS.

eddythompson80 · 2025-08-07T04:00:43 1754539243

Email OR SMS is still one factor. Its not multiple factors. How are you not getting that? Do you know what MFA means?

max__dev · 2025-08-07T04:06:33 1754539593

Even if it was Email OR password, that would still be one factor due to the OR. I do not think they are discussing in good faith.

Ferret7446 · 2025-08-07T04:39:06 1754541546

> It's about email as single factor auth, which has become very trendy of late

I must be in the wrong bubble, I have not encountered any site that does this since the 2000s. It was a minor trend around then IIRC.

eddythompson80 · 2025-08-07T05:40:14 1754545214

Anthropic is the main one. Its pushing a lot of others to do the same. I literally was arguing against that 2 weeks ago and the person who was pushing it said "Claude does that. Its really slick, no password to remember".

Patreon can do that too, depending on how you sign up.

moi2388 · 2025-08-07T06:10:42 1754547042

It’s not slick at all. Passwords and MFA autofill, their image codes don’t, so I have to close the browser, go to email, copy code, delete email, go to browser, paste code just to login.

The entire email login flow is completely retarded. It’s not even secure.

const_cast · 2025-08-07T15:22:24 1754580144

A lot of services just do this de-facto, where you only need an email code to reset the password. Which is equivalent to single auth with email.

Email link to reset is better, email link + another auth (usually sms) is even better.

eddythompson80 · 2025-08-07T15:35:03 1754580903

Only in an abstract threat model sense. In real world phishing its pretty different.

Its super odd if you land on facebook.com-profilesadfg.info/login thinking its just Facebook and try to login but get a "password reset" email. Most people would be confused as they don't want to reset their password.

Having it for every login means that just missing the website URL, everything else is 100% legit.

vachina · 2025-08-07T07:50:17 1754553017

It’s not just slick, it is “secure” on the get go by thwarting any password stuffing attempts (if your email is not pwned already)

baobun · 2025-08-07T05:48:39 1754545719

I believe Slack popularized this back then and still do it.

gopkarthik · 2025-08-07T07:44:04 1754552644

In India, almost all websites & apps, send a OTP to either mobile or email & ask you to enter that to login. Most of them have even disabled password based login flows. Really grinds my gears.

wvenable · 2025-08-07T06:27:23 1754548043

Spotify just started doing this. I even have a password saved in my password manager but instead of asking me they just sent an email with a code.

daemin · 2025-08-07T08:12:18 1754554338

Booking does it and it frustrates me to no end.

ErneX · 2025-08-07T08:43:54 1754556234

Trip.com does this.

ipython · 2025-08-07T03:47:06 1754538426

The first factor is access to your email. The second factor is…?

wodenokoto · 2025-08-07T03:59:57 1754539197

The article is not about multiple factor authentication.

It’s about single factor, password logins, using a one-time-token

max__dev · 2025-08-07T03:47:12 1754538432

The article is not about MFA. It is about using email as a single factor.

pandorobo · 2025-08-07T03:50:24 1754538624

Thats simple a lie or you didn't read the article.

The very first bullet point states: Enter an email address or phone number

That insinuates email OR SMS.

It doesn't just mention email only.

max__dev · 2025-08-07T03:54:17 1754538857

The following is copied from wikipedia.

The authentication factors of a multi-factor authentication scheme may include: 1. Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, a phone that can be reached at a certain number, etc. 2. Something the user knows: Certain knowledge only known to the user, such as a password, PIN, PUK, etc. 3. Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.

Email and phone are both in category one, comprising only one unique factor.

sophiebits · 2025-08-07T03:51:23 1754538683

Half factor authentication, then, since either one will work.

anonymars · 2025-08-07T14:13:03 1754575983

What is the minimum number of things you need access to in order to log in?

If you have access to the phone, you can log in. OR if you have access to the email account, you can log in.

You don't need to know the user's password, you only need access to one of these inboxes and nothing else. One-factor authentication, but worse, because there are multiple attack surfaces.

stavros · 2025-08-07T07:13:11 1754550791

It's still a single factor.

ulysss · 2025-08-07T15:24:33 1754580273

Agree with you