Thanks for the write-up. You're correct that, precisely speaking, this is "no more secure" than a password-based system, and you're also right that some of what's been printed has been... hyperbolic to say the least, especially since the idea has been around since at least 2007 (http://www2007.org/posters/poster1001.pdf). As I pointed out in a follow-up post (https://medium.com/inside/why-passwords-suck-d1d1f38c1bb4) - actually a post written a few months ago, albeit only published internally to Medium - "[an email-based forgotten password mechanism] puts an upper bar on how secure a user can ever be. But at least being notified each time a login attempt occurs potentially makes it functionally more secure, if not theoretically.
The majority of users choose horrendous passwords. It seems like a reasonable trade-off to not require them to choose (or reuse) another terrible one, and lean more heavily on services that are already very invested in keeping your data safe. After all, if someone gains access to your email, they can probably do whatever they like on virtually *every* service you use.
As you know, virtually any system can be defeated by a determined enough attacker. Someone could packet sniff emails in transit, modify your domain's MX records, or do any number of other exotic attacks. But someone who can do that would also probably have the ability to throw a botnet at your password too, or crack a less-well-protected site, or get a keylogger onto your machine. Ultimately we're trying to choose an option that keeps as many of our users as safe as possible, by default, without imposing onerous restrictions on them.
All that being said, we'll of course be keeping a close eye on things. All this is done in service of our users. If this isn't effective at keeping them safe, we'll certainly re-evaluate.
(Nice headline, BTW :))