The very website they link to [1] via its HN thread [2] states correctly that:
"No, email is not a secure medium. It was never designed to be one. It’s susceptible to Man In The Middle (MITM) attacks and a slew of other issues. Users might also have their email accounts abused or hacked into (how many people do you know who have left their GMail logged in on a public computer?). And what about if their email provider gets hacked or their backups stolen?"
Mozilla should know that email is not an adequate medium for one-time password delivery.
They are replacing strong authentication (2 factors) with its second factor alone.
One problem is that SMTP itself [1] is just a plaintext email format. Sure, you can send it over a secure connection and most do, but that's left completely up to the provider to decide and therefore never guaranteed.
This is by no means a very secure option but do you really care if your www.anime-planet.com or konachan.com account don't use 2 factor authentication.
Some websites just don't need such a high level of security plus you could argue they are probably less careful with your password than say Google is with your email.
Now it can still be hacked but you could argue this is probably an increase in security although it does create a central point of failure just like password managers.
Nobody says Google or Amazon should start using this but websites with a lower requirement of security shouldn't inconvenience their users unnecessarily.
If you're only need is to identify the user for something banal that couldn't do much damage if it gets hacked then this is a good solution.
It's a QR-based system, but according to that page it says it can work via a tap or click on the QR code, too. So you don't have to point a camera at the QR code.
Wordpress, Android, .Net Client, Node, PHP, Ruby, Windows Phone, and Haskell. Unfortunately, having people download an app to login to your website kind of ups the bar a little. Still, they can just scan the code with their phone as well.
"No, email is not a secure medium. It was never designed to be one. It’s susceptible to Man In The Middle (MITM) attacks and a slew of other issues. Users might also have their email accounts abused or hacked into (how many people do you know who have left their GMail logged in on a public computer?). And what about if their email provider gets hacked or their backups stolen?"
Mozilla should know that email is not an adequate medium for one-time password delivery.
They are replacing strong authentication (2 factors) with its second factor alone.
[1] http://plaintextoffenders.com/faq/devs [2] https://news.ycombinator.com/item?id=7943365