We replaced passwords with something worse
Too many services have been using the following login method:
- Enter an email address or phone number
- The website will send a 6-digit code
- Use the 6-digit code to log in
Please stop.
This is terrible for account security:
- An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place. Password managers (a usual defense against phishing) can't help you either.
- In fact, this attack method has been successfully used in the wild: Microsoft's login for Minecraft accounts use this login method, and many accounts have been stolen already.