Why email OTP works well

• Most users already secure their email accounts well.
• Email is broadly understood and already part of account recovery habits.
• It works across devices without teaching users a new recovery ritual.
• It is a better mainstream backup than asking users to store recovery codes they will lose.

Why not SMS or 6-digit authenticator codes

• SMS is weak against SIM swapping and carrier-level attacks.
• A 6-digit TOTP code is fine as a second factor, but weak as sole identity proof.
• Recovery codes are operationally hard for many users to keep safe.
• Passkeys plus email OTP is often the most practical product balance.