Why not always log in via mail pin code and skip the password?

Question

So I was again resetting one of my thousands of accounts because I didn't remember the password and I wondered about passwords in general. I have simple question.Why do we not use one time pin codes sent via mail for logging into websites?As in: enter your login name and the system sends a pin to your email which is valid for 5 minutes and stops working after login.So far I don't see the security risk since we have the option to reset a password with the email anyways. If someone gains access to your mail, you always lose.I must be missing something.. what is it?

gvb · Accepted Answer

1) This will turn your phone SIM into a "master password" - equivalent to using the same password for all your accounts. If a "bad guy" steals your SIM (physically or by tricking the phone company into reassigning the SIM), he will be able to log into every single account you have.
2) It will be a slow PITA when using a computer. While it would less of a PITA on a phone because you can copy-paste the code, phones are awkward and sub-optimal for many uses and many web pages.
The sequence becomes...
1. Open an web page on your computer
2. Receive a reset code on your phone some time later (seconds, sometimes a lot longer, sometimes never)
3. Read a sequence of random letters or numbers off the phone and accurately type it into your computer

bartvk · Answer

You&rsquo;re missing that email can actually be quite slow for reasons. I&rsquo;ve had a problem where I hadn&rsquo;t logged into Twitch for a long time, and it wanted me to enter a one time code, which they mailed me.The email took so long that the login code was expired. This was on GMail.But then again, Slack and apps like Overcast use your method.

rzimmerman · Answer

If you can reset your password via email it’s effectively a login mechanism - you’re right. I guess passwords are quicker so it’s another more convenient login mechanism. There are a lot of other “prove you are who you say you are” mechanisms: SMS, rotating auth keys, hardware tokens, biometrics. All with upsides and downsides in security and usability.
Passwords that humans remember are on the low end of both security and usability, so I understand your frustration! Password managers work fine but really they’re duct tape pretending to be something like a hard token.
I’ve seen websites do what you say - always log in with an email verification. It’s not bad. My favorite is a push notification to my phone + watch.

detaro · Answer

It's more steps and slower if you do know/have saved the password, instant mail delivery is not guaranteed, people log in on devices they do not have the associated email setup, ...