Why six-digit email codes create more problems than passwords
How companies trying to improve security accidentally made it worse
Every morning, millions of people check their email to find messages containing six-digit codes from trusted services. Microsoft needs to verify a login. Google wants to confirm account access. The bank requires authentication for a transaction. These emails look entirely legitimate because they are legitimate—sent by real companies with proper security certificates and familiar branding.
Yet some recipients will copy those codes into malicious websites, unknowingly surrendering complete control of their accounts to criminals.
This isn't a distant theoretical threat. Security researchers documented a 703% surge in credential phishing attacks during 2024, with email-based authentication proving particularly vulnerable to an elegantly simple attack. Criminals create fake websites that mimic legitimate services, prompt users to enter their email addresses, then use those addresses to trigger real authentication codes from real companies. When users enter the genuine codes on fake sites, attackers use them to access genuine accounts.
The cruel irony? Companies implemented email authentication specifically to solve security problems. Instead, many created something demonstrably worse than the passwords they replaced.
The great authentication shuffle
The exodus from traditional passwords followed decades of documented failures. Users chose weak passwords, reused them across multiple accounts, and forgot them with exhausting regularity. Gartner research revealed that password-related issues generated between 20% and 50% of all help desk calls, whilst Forrester calculated that each password reset cost organisations an average of £70.
Email-based authentication appeared to solve these problems elegantly. No complex password requirements. No forgotten credentials. No expensive reset procedures. Users would simply receive a code via email and enter it to sign in. The system seemed foolproof.
The flaw lay not in the technology but in human psychology. Email authentication trains users to expect codes from trusted services and enter them elsewhere to complete authentication flows. This conditioning creates the perfect setup for social engineering attacks.
Password managers—which have become the primary defence against credential theft—cannot protect against email code phishing. These tools recognise when users visit unfamiliar domains and refuse to auto-fill passwords, alerting users to potential threats. But with email codes, everything appears legitimate: the email comes from a real service, the code is genuinely generated, and users have been conditioned to enter such codes wherever requested.
"Email one-time codes are worse than passwords for phishing resistance," security experts warn in technical discussions. "Password managers create friction that protects users. Email codes eliminate that friction entirely."
The hidden economics of authentication
Companies celebrating the elimination of password reset costs often discover that email authentication introduces different but equally expensive challenges. Support requests haven't disappeared—they've evolved.
Help desks now handle missing email complaints, user confusion about multiple authentication methods, and an increasing volume of compromised account reports. The 2024 Email Security Risk Report found that 94% of organisations experienced email security incidents, with 96% suffering measurable business impacts.
The productivity costs prove even more substantial. Analysis shows users spend an average of 10.9 hours annually managing authentication issues—time that scales to approximately £5.2 million in lost productivity for a 15,000-person organisation. This calculation excludes the cascading costs of successful attacks.
One major retailer reported that whilst password-related support calls decreased 60% after implementing email authentication, the average time to resolve security incidents increased 400%. Password resets are routine; investigating compromised accounts requires forensic analysis, security reviews, and coordination across multiple teams.
The economic equation becomes more complex when considering the broader costs of email-based attacks. These systems don't just shift expenses—they often amplify them by creating new categories of security incidents that demand more sophisticated responses.
The passkey promise and its obstacles
Security professionals broadly agree that passkeys represent the optimal technical solution. Using cryptographic key pairs, they eliminate both password memorability problems and email code phishing vulnerabilities. Microsoft data shows passkey authentication succeeds 98% of the time versus 32% for passwords, whilst completing three times faster than traditional methods.
Yet adoption remains disappointingly slow outside major technology companies. The obstacles prove more human than technical.
"The biggest barrier to passkey adoption isn't complexity—it's familiarity," industry analysis reveals. "People understand passwords even when they use them poorly. Passkeys require trusting something invisible, stored somewhere unknown."
Implementation challenges compound the problem. Whilst major platforms like Apple, Google, and Microsoft have invested heavily in passkey infrastructure, smaller organisations struggle with integration costs and user education requirements. The technology works brilliantly for those who understand it but creates confusion for everyone else.
Recovery mechanisms present another challenge. When users lose access to passkeys—through device failure, theft, or platform switching—account recovery becomes complicated. Most services default to email-based recovery for passkeys, reintroducing the vulnerabilities they were designed to eliminate.
Perhaps most concerning is the "attestation problem"—technical features that allow service providers to verify which company manufactured a user's authentication device. Whilst intended for enterprise security, these capabilities enable vendor lock-in and platform discrimination, potentially undermining the open nature that makes passkeys attractive.
The invisible trust architecture
Email-based authentication fundamentally restructures digital security responsibility in ways most users never consider. When authentication depends on email access, account security becomes entirely contingent on email provider security measures.
This creates peculiar dependencies: banking security becomes only as robust as Gmail security, workplace productivity depends on personal email providers, and email account compromises cascade across dozens of other services. The mathematics of this trust delegation prove sobering.
Current research shows 44% of phishing emails originate from compromised accounts, meaning even legitimate services cannot guarantee message authenticity. When major email providers experience security incidents—as several did during 2024—the impact multiplies across every service relying on email authentication.
"Email authentication creates systemic single points of failure," notes one security architect. "We've centralised internet security around a handful of email providers without acknowledging the concentration risk."
This architectural shift carries broader implications for digital autonomy. Users choosing alternative email providers or self-hosted solutions frequently find themselves excluded from services that assume everyone uses major commercial platforms. The result accelerates consolidation around a few dominant providers, creating systemic vulnerabilities that extend far beyond individual accounts.
Finding a sustainable path forward
The authentication landscape reveals fundamental tensions between security, usability, and economics that cannot be resolved through technology alone. Email-based authentication isn't universally terrible—it genuinely addresses real password problems. But it also introduces vulnerabilities and dependencies that many organisations haven't properly evaluated.
The most successful approaches recognise authentication as a layered challenge requiring multiple strategies. Leading companies implement passkeys where technically feasible, strengthen email security where necessary, and design fallback systems that avoid recreating original problems.
For individuals, the guidance remains complex: use password managers, enable multi-factor authentication, maintain scepticism toward unexpected authentication requests, and adopt passkeys when available. For organisations, the challenge proves greater: building authentication systems that balance competing demands whilst preparing for futures where current approaches may prove inadequate.
The authentication wars continue evolving. What's certain is that the stakes—and the consequences of miscalculation—keep rising as digital dependencies deepen. The companies and users who recognise these complexities and adapt accordingly will be better positioned for whatever authentication challenges emerge next.
Those who assume that solving yesterday's password problems automatically addresses tomorrow's security threats may discover they've simply traded familiar vulnerabilities for unfamiliar ones.