I appreciate that there is at least one other person on earth who shares my skepticism of many popular MFA implementations. A lot of them add more inconvenience than security. "We sent a code to your email" is particularly heinous.
Other than the chance the email is delayed, and the generally subpar UX, what are your concerns with emailed codes? This is an honest question, as this is the primary login method I settled on for all my services after spending a good chunk of time thinking about this.
If the assumption is that users set bad passwords, hence the need for MFA, then why should the MFA implementation assume their email account is any less compromised than the account we're trying to protect?
Sure, you could say:
P[password X is compromised] * P[password Y is compromised] <= P[password X is compromised]
...and thus you have increased the security of the account. By the same math, I say that you've barely moved the needle.
If your password recovery flow only requires the user to enter their email, then you've done nothing to raise the security of the account. At that point, the only important password is the one for the email associated with the account- the password for your login system, and all others like it, can be considered mutable and temporary.
If you have "we sent you a code" MFA and email-based password recovery, you have probably de-incentivised hacking of your service. But, the approach also puts a target on the email service provider's back.
For one thing, I now have to be logged in on my mail on the device I am using, and that means if the device is unsafe, I am exposing far more of a risk that way.
It also forces me to look at my email inbox, which can be a pretty annoying thing if I am trying to relax and now see some email with bad news - requireing me to break the flow again.
Most important however: it is simply wrong and not needed. The flow has been settled.
> For one thing, I now have to be logged in on my mail on the device I am using, and that means if the device is unsafe, I am exposing far more of a risk that way
What's preventing you from getting the email code from another device?
