That’s the point of real 2fa. And the process of activating it also makes it very clear. I find it incredibly frustrating when I activate 2fa on some service, and they allow email as a fallback that I can’t turn off. Cause that turns it back into single factor, being the email. That’s what the recovery codes are for.
Otherwise, if someone has access to your email, they can just reset the password and get access (cause that is the 2nd factor). Then they can change the associated email address and that’s that.
How is it not 2fa if it involves any method besides your password? Your password is factor 1, something else is factor 2. That can be a number of things.
Reset password via email. Reset second factor via email. Email is the only factor, neither password nor the 2fa.
Usually, the actual login is not the easiest target for an attacker, the recovery methods are. You call a helpline to get a second SIM for SMS codes. You guess (or dig up) answers to recovery questions if available. You get access to email accounts, e. g. via phishing.
If a recovery path for a security factor is weak, it ceases to be a security factor. By allowing both password and the second factor to be recoverable via email, both factors collapse into one: get access to the email and you’re in.
Like Randelung said, that would be true if you couldn’t reset you password via email. But as long as that’s possible the email can’t ever be the 2nd factor because it can be used to (re)set the 1st one.
A safer definition of what the 2 factors should be is “something you know” and “something you own”. The “know” is usually a password (which you can remember, but you should use a password manager these days so you can have a different password for every service). The “own” is typically a phone these days (generating a timed code, for example). But it doesn’t have to be, it can be a physically USB dongle or your fingerprint. The idea is that it’s something that can’t be overheard, or recorded via key logger or or even told to someone.
That’s the point of real 2fa. And the process of activating it also makes it very clear. I find it incredibly frustrating when I activate 2fa on some service, and they allow email as a fallback that I can’t turn off. Cause that turns it back into single factor, being the email. That’s what the recovery codes are for.
Otherwise, if someone has access to your email, they can just reset the password and get access (cause that is the 2nd factor). Then they can change the associated email address and that’s that.
How is it not 2fa if it involves any method besides your password? Your password is factor 1, something else is factor 2. That can be a number of things.
Reset password via email. Reset second factor via email. Email is the only factor, neither password nor the 2fa.
Usually, the actual login is not the easiest target for an attacker, the recovery methods are. You call a helpline to get a second SIM for SMS codes. You guess (or dig up) answers to recovery questions if available. You get access to email accounts, e. g. via phishing.
If a recovery path for a security factor is weak, it ceases to be a security factor. By allowing both password and the second factor to be recoverable via email, both factors collapse into one: get access to the email and you’re in.
Like Randelung said, that would be true if you couldn’t reset you password via email. But as long as that’s possible the email can’t ever be the 2nd factor because it can be used to (re)set the 1st one.
A safer definition of what the 2 factors should be is “something you know” and “something you own”. The “know” is usually a password (which you can remember, but you should use a password manager these days so you can have a different password for every service). The “own” is typically a phone these days (generating a timed code, for example). But it doesn’t have to be, it can be a physically USB dongle or your fingerprint. The idea is that it’s something that can’t be overheard, or recorded via key logger or or even told to someone.
Steam does this better (as in safer) than most.