It’s different because the site doesn’t have a hash (or worse) a plaintext copy of your password to compare. If they get hacked or lose your data, your email password is not exposed.
So it is very different than just reusing your email password, and I hope I have changed your mind.
It’s functionally equivalent to the security of the account recovery process.
So it doesn’t reuse the password, since the second site can’t lose the password it doesn’t have, but it sets the limit on the security of the login to that of the security of the email providers login.
Usually, that’s actually an improvement, since the big email providers most people use tend to enforce reasonable minimums, have good security teams, and people tend to secure their emails better than random sites.it confirms the person trying to log in has access to the email. for example the guy remembering your password from watching you enter it, can’t use it to log in later as he doesn’t get the code.
still, there are better ways.
I would rather more places require email verification.
(As lurch said, even aside from any security uses, it can be used to verify ownership of the email address.)
People fuck up when sharing their email address a lot. And it bugs me no end when I get subscribed to something because someone mistyped
TootSweet111@gmail.com
when they meantTootSweet1111@gmail.com
. (Not my real email address, obviously, but you get the idea.) I’ve had to unsubscribe from other people’s spam more times than I’d like to have.My e-mail has 2FA tho