I think these two methods are more similar as it looks. It should be noted, that the tokens are only temporary tokens, that should be valid only several minutes. So the eMail system is not a storage, but a transmission medium. You also could use SMS or any other scheme that guarantees that only the valid receiver will get it.
Of course your proposal is superior, but the infrastructure is not available yet. For web-apps with low security demand, I think the discussed scheme would be sufficient (since we already have security implications because of password reset schemes -- and real secure schemes are seldom. In Germany there even where attacks to two-factor authentifications via mobile of banks ... the attackers just ordered a second sim-card in the name of the legal user and intercepted the snail-mail).
Ah, so the expiration issue is smaller than I thought. Thanks for that info. Still, it represents a training issue for users and a new framework to be incorporated into a web app. Those are both barriers to wider adoption.
I agree the security of this solution may be right for certain applications.
Yes, my proposal is an infrastructure play - but I believe it is a more realistically achievable one than most password alternatives.
Yes, I also think that it could be achieved. The problem as everywhere is the adoption. When two or three big companies would stand behind it, it could be easily implemented and I really would like to see a scheme like that.
There are of course some questions, that also would need to be solved. For example: What if an other person has access to my computer -- than I still would need some kind of master-password that had to be remember-able. Also there must be methods, to transfer my keys to an other computer or to "copy" for example onto mobile devices.
The example of the SIM-card for banking just shows, that the "big security" is really a hard problem. Two-factor is one idea, but it is always a game where the attackers are hunting the defenders (or vice versa).
Re: shared device use, yes, you would continue to do password management best practices (fingerprint scans, master passwords, etc.).
I see the transferability as an export/import format issue. W3C, browser vendors and password managers need to agree on a format for keychain export/import.
Note that this technique could still be used in conjunction with multi-factor auth. Since it is just an evolution of passwords, those type of mechanisms are still relevant and compatible (though, eliminating knowledge factors should reduce need for a second factor).
Of course your proposal is superior, but the infrastructure is not available yet. For web-apps with low security demand, I think the discussed scheme would be sufficient (since we already have security implications because of password reset schemes -- and real secure schemes are seldom. In Germany there even where attacks to two-factor authentifications via mobile of banks ... the attackers just ordered a second sim-card in the name of the legal user and intercepted the snail-mail).