Email verification isn't super secure either. Now there's legions of sites that if one's email is hacked, it's simple to login. Email social hacking has been one of the top risks for decades now, I know so many this has happened to. It doesnt make my accounts more secure and it wastes my time.
Security analysis (i am a security researcher and worked professionally): if you could reset the password, then there's no change in the threat profile from a compromised email.
yes, obviously, but that doesn't make forcing logins through emails any safer, that's my point. I don't want emails, I don't want texts, I use a password manager, just leave me the F alone and stop taking up all my time with this BS that doesn't make me safer!
I hope we're not talking past each other, because this exchange is why you do NOT let security people control UX for your product, because security is always trade offs. That said, if email password reset was already possible then eliminating passwords objectively removes an attack path—at a UX cost
I'm not in security, so I believe you. We're talking about different issues. I don't want emails, I don't want texts, I don't want it to take 5 minutes for me to log into every fing website all day, that's my point. My life is being taken over by this shit and I'm fed up!