| ▲ | const_cast 9 days ago | |
A lot of services just do this de-facto, where you only need an email code to reset the password. Which is equivalent to single auth with email. Email link to reset is better, email link + another auth (usually sms) is even better. | ||
| ▲ | eddythompson80 9 days ago | parent [-] | |
Only in an abstract threat model sense. In real world phishing its pretty different. Its super odd if you land on facebook.com-profilesadfg.info/login thinking its just Facebook and try to login but get a "password reset" email. Most people would be confused as they don't want to reset their password. Having it for every login means that just missing the website URL, everything else is 100% legit. | ||