While we can support a classic username / password scenario, we believe that this is a security risk unless you make a second authentication factor mandatory. But if you want to share low privacy information to someone, requiring all these users to set up a second factor might not be convenient enough and add unnecessary hurdles.

As an alternative, we support a login scenario where the user needs to enter his email address and then receives a login link via Email that can be used temporary (expiry timeout configurable). That way, you prevent users from setting insecure passwords like reused passwords also in use on other sites and they need to prove at least permanent access to the users Email box for each login, which we consider more secure than any bad password.