New password in anger

Email is a really bad way to provide authentication. There is no standard method for authentication in email clients and email has no guarantees of confidentiality or data integrity in transit. It's used at the moment for password recovery but it's far from ideal. OpenID and OAuth are worth looking into. OpenID for authentication and OAuth for authorisation.