One-time authentication codes like 2-Factor Authentication (SMS/Google Authenticator) are awesome. Aside from the normal benefit of needing "something (physical) you have" to login, the one-time nature means even if a snooper sees a code while it's still valid, the end-user can notice their authentication code has already been used.
From that angle it makes some sense to add email-delivered verification codes to the list of options.
Recently I launched a minimal website with just email verification as auth. When heartbleed hit the news it was a very easy decision to delete my nearly finished password login code :)
One-time authentication codes like 2-Factor Authentication (SMS/Google Authenticator) are awesome. Aside from the normal benefit of needing "something (physical) you have" to login, the one-time nature means even if a snooper sees a code while it's still valid, the end-user can notice their authentication code has already been used.
From that angle it makes some sense to add email-delivered verification codes to the list of options.
Recently I launched a minimal website with just email verification as auth. When heartbleed hit the news it was a very easy decision to delete my nearly finished password login code :)