Many people (most?) prefer to signup to services by email address. To do so, those email addresses must be verified. How would you verify it without sending them an email link?
You can verify validity of an email like that, no issue there. Just don't use that as a factor authentication. Control over an email account should not trump passwords (what you know) or proper 2fa (what you have, typically, email can be 2fa like sms and like sms it is not a good choice). If a person proves they control an email account then you ask them for additional info like secret questions or other information configured during registration.
I should not be able to take over your life because I compromised your phone which has sms, TOTP app and email.
badrabbit|3 years ago
I should not be able to take over your life because I compromised your phone which has sms, TOTP app and email.
throwaway14356|3 years ago
Also, mail might not live on the same computer.
xboxnolifes|3 years ago
inopinatus|3 years ago
* use an interstitial page so that the actual activation is a POST request;
* send a confirmation code instead of a link