Logging In With Email OTP Codes

Simple but secure

Send a unique, time-limited 8-character alphanumeric code.
Access to the email account becomes proof of identity.
The code must be entered in the same browser session.
Users can read the email on one device and sign in on another.

Flow

User requests a login code
Server creates an auth attempt
Email delivers the code
User enters the code
Server verifies the attempt and signs the user in

Why 8-Character Alphanumeric Codes?

Security requirement

Authenticator app codes are usually a second factor. In this system, the OTP code is the only factor, so it needs dramatically more entropy.

The math

6-digit numeric: 10^6 = 1,000,000 combinations
8-character alphanumeric: 36^8 = 2,821,109,907,456 combinations

Why it matters

Brute-force attacks become computationally infeasible.
Rate limiting still matters, but the large keyspace adds defense in depth.
The OTP is strong enough to serve as primary authentication.