Sep 5, 2018 · 1 min read
Jiri, server admins can already steal your accounts by requesting password resets to that same email address.
The peculiar robustness of email-based auth is that it is no less secure than any system backed by password resets over email.
