Password-less authentication in web apps - How safe it is?
As always, the choice of the authentication scheme mainly depends on what you need to protect and the kind of public you will receive.
As "I forgot my password" link mentioned in the comments is a good example. By the past, for certain non-important websites, I used such links on a systematic basis to open a session:
- Click on the "I forgot my password" link
- Get the email allowing to reset the password,
- If actually required, reset the password to some long random string.
By this way, the security of the access to this site was dependent of the security of my mailbox. I did not have any password to remember, and the password recorded in this site's database was unique.
This procedure seems like dirty-version of the procedure you present in your question.
Regarding security, this works as long as:
- The authentication source (email, phone, ...) is not compromised,
- The long-lived token is not compromised.
For a non-important website, when such authentication scheme is correctly implemented, it could be more secured than allowing users to use some silly password already used on a dozen of other websites.
For a website dealing with sensitive data, the user must be in measure to prove his identity. Therefore the usage of a secret password only known by the user seems mandatory in order to proceed with a normal authentication. The usage of email / SMS should remain exceptional as a password reset procedure or as a second factor authentication.
Regarding usability, it would be better to keep such authentication scheme as optional, since some users may prefer to use passwords safes or other kind of password generators to handle their passwords and will not be able to act as they will with your authentication scheme (links provided are just sample of such software).