Oh, I hadn't read that as merely having the e-mail address and password to the site, but having the password to the e-mail account. I get it now. Though, it still irks me that we are now up to 3 factor authentication--password, TOTP, and e-mail--under the premise that the user is too dumb to secure 2 factors, and yet somehow is smart enough to secure the third one.