I agree, that eMail as transport media is far from optimal, but it is the only general available media currently.
I still think that from the point of usability a passwordless solution is better for many applications, where security is not the top priority.
Because so many applications in the web force you to have a password, security in general is at risk. Most people get tired of passwords and use either bad passwords or just one for all. And those passwords are endangering those applications that are really security sensitive.
I would rather like to see, that only a few services (like banks, ...) want to have a password and the others just authenticate their users with less intrusive means.
> Most people get tired of passwords and use either bad passwords or just one for all.
That is what password managers fix. iCloud Keychain has gone a long way towards mainstreaming this. It's built in to Safari and securely stored, encrypted with your OS/device's master password -- which is an improvement on Firefox & Chrome's approach, where master passwords are optional.
From a usability standpoint that email method is way worse, at a minimum due to the latency issues. Waiting a minute for an email to arrive can feel like an hour when you're trying to log in to do something urgent. Password managers work "magically".
For a security standpoint the email method is also worse, because it is only usable with very long-lived sessions -- which is not the best security practice. The article even heavily qualifies this method as not appropriate for sites users "visit frequently".
So by the author's own logic, this method is only appropriate for sites that NO users visit frequently. Which is no sites.
Finally, the nail in the coffin for the email approach is that it's incompatible with the more general password manager solution. So those users who do need to visit a given site frequently can't use a password manager (at least without redirecting themselves to an alternative method, which is also poor usability).
This is a circular thinking: Password managers are superior to this approach, because this approach is not compatible to password managers, the "more general" solution.
It is like saying: "We need tv sets because tv sets are the only (valid) means of entertainment."
Absolutely false. Password managers are superior because they don't suffer the vulnerabilities I listed with email: high latency, outages, spam filters, and less secure long-lived sessions.
I still think that from the point of usability a passwordless solution is better for many applications, where security is not the top priority.
Because so many applications in the web force you to have a password, security in general is at risk. Most people get tired of passwords and use either bad passwords or just one for all. And those passwords are endangering those applications that are really security sensitive.
I would rather like to see, that only a few services (like banks, ...) want to have a password and the others just authenticate their users with less intrusive means.