Email-only as authentication

What about using only email addresses (no usernames, no passwords) for authentication as a kind of poor man's OpenID?

The sign up process would require only the user's email and would send it a link with random nonce for logging in, just like many services usually do for password recovery/email verification. After verifying the nonce, the service would set a (permanent) cookie in the browser as usual and use that as identification. In case the user wishes to use another machine/browser, another message has to be sent.

I've never seen a site doing something like that. What do you think about this scheme? Are there any obvious security holes I'm not seeing (considering the usual stuff, like protecting the cookies to be https-only, gets done properly)? Is it difficult to get this kind of email through the spam filters nowadays? Do you think it would be hard for users to get used to that? Do yo开发者_如何学Pythonu see any usability issues?

---

This would be insecure. Emails are sent in plaintext by default, and you can't guarantee that they will be sent encrypted (the user's mailserver might not support TLS). Moreover, there are some edge cases: an email inbox might be accessible by more than one person; an email address might become owned by a different person or people in the future, especially in the case of work email addresses. Yes, sometimes you want accounts to be inherited by the inheritor of your email address, but sometimes you don't.

However, sites that have a "reset your password" feature and don't require any other authentication other than your ability to read an email, to use that feature, are just as insecure! They only look more secure.