> Yes, it move the single point of failure to the user's email account

This isn't even that greater of a concern; it currently is in 99% of cases the method for password reset anyhow.