Also, an email or other means for the service to contact you, the user, is necessary for account recovery. Building a SaaS product without any efficient way to recover a lost password is silly. It leads to a ton of customer service headaches.
No it is not! You do not need and should not use email for password recovery. Ok, let's say you do that, what happens when you have 2FA? Both factors of authentication will be thwarted if your email is compromised? That is ridiculous! There are practical and simple solutions (such as recovery tokens, push notifications,etc...). Look, I don't you realize how often people's email gets compromised and how many intermediaries read and log email bodies. There are efficient ways. I mean ffs, do you need a valid email to sign up for email providers?? How do they handle resets? There arr many ways. The only thing worse than email is "secret" questions.
