> means annoying gyrations trying to transfer links from one device to the next
There are alternatives to this, such as typing a code into the login prompt instead of following a link (which will be submitting that code). This does limit the size of token that can be used because it needs to not be too inconvenient for the user to type, but if the code's validity is sufficiently short-lived, and properly unguessable, this can be done without compromising security any more than it already is by involving SMTP in the process.
Of course the other problem with email-only password resets is that users often receive email on the same device they are trying to authenticate – so if someone has left a machine unlocked with their mail account logged in, an attacker can gain access to any site/app that uses this password reset mechanism. One of the reasons that email and SMS are not great choices for a second factor, and even less good choices for what is sometimes effectively the only factor.
Agreed. This is one reason I limit the number of devices that have my email credentials. Using 2FA everywhere is sadly not practical yet, so there are a nontrivial number of accounts that are, as you point out, effectively owned by anyone who can access my email.
I actually occasionally fantasize about implementing a mechanism that I could use from my desktop (where my password manager is) to send passwords as needed (e.g. one at a time) to my devices (I really like not worrying about syncing whole vaults). Encrypt the password using an epehemeral key (gets deleted after 60 seconds, for example) on the transfer service and a local key derived from a random six digit number. Display the number, send a url to the device, and anyone hitting that URL has 60 seconds to enter the six digit code and it decrypts the password and drops it on the device clipboard. This is about 1000 times better (and over-engineered, naturally) than my current practice of "paste it in a slack message to myself."
There are alternatives to this, such as typing a code into the login prompt instead of following a link (which will be submitting that code). This does limit the size of token that can be used because it needs to not be too inconvenient for the user to type, but if the code's validity is sufficiently short-lived, and properly unguessable, this can be done without compromising security any more than it already is by involving SMTP in the process.
Of course the other problem with email-only password resets is that users often receive email on the same device they are trying to authenticate – so if someone has left a machine unlocked with their mail account logged in, an attacker can gain access to any site/app that uses this password reset mechanism. One of the reasons that email and SMS are not great choices for a second factor, and even less good choices for what is sometimes effectively the only factor.