This means the second someone loses access to their email account, they lose access to every account on every system attached to it via this method. I'm not sure introducing a single point of failure is a good idea.
This is true already for pretty much every website that lets you recover password by email, and most allow this. Any that use a secret question wouldn't switch to this scheme anyway. It reduces the hassle, as if your email got compromised, and they change passwords to all your other accounts, you have to regain access one by one, changing passwords back and so on, when with this email system, you can just regain access to the email account and the rest are under your control again.
While True, isn't browserID piggybacking on this? Using your email as the "persona"? An accidental benefit would be any service that implanted this would be automatically two-factored for users who have a two-factor system enabled. I like the thought of that.
