not 100% related but i think login should be less user friendly

“here take this 512 byte hash and store it and it’s you and if you lose it or have it stolen i couldn’t care less”

email verification is hard to do right (as said in top reply), oauth is annoying to get set up but more secure and all big providers have fancy recovery and login methods

no oauth? get the hash or go away