I don't have passwords for my personal sites. To sign up a user pick their username and enter their email. There is a logout button if the user wishes to log out. To log in you enter your email and click the link that is sent to your email address.
Why are we using passwords at all especially if we register a users email?
At some point the user needs to be authenticated. The approach that you are detailing will shift this process to the authentication of the email account. Technically it could shift it elsewhere too, but at some point there will need to be a form of authentication.
The problem with delegating the process to a third party is that you place too much trust in (a) their security mechanisms, and (b) the non-secure transport channel for the email. Each of these creates threats that otherwise wouldn't exist in that (a) a poorly protected email host may allow an adversary to access your authentication emails, exposing the fact that your website utilises this mechanism, which means that they simply need to submit a new request, and (b) interception of the authentication email results in the same outcome.
The use of a password introduces a secret that is shared by only the authenticator (your site), and the user wishing to be authenticated. It exists in electronic form for a very short period of time, and within a security environment for which you define the level of protection relative to the threat model.
Because that's only a single factor. Sure, it can certainly work, but it also has weaknesses.
First, if someone acquires access to the user's email, then they have automatic access to the site. This is not seen as a big deal for some people (if my email is compromised, then everything else isn't as important), but it is still an inherent weakness.
Second, there is a User Experience impact. Instead of staying on your site to log in, the user bounces back and forth from their email. This isn't a security issue, but it does speak to the reason why your method is not more commonly implemented.
So you just made the password a link. What's the difference? In the end, it's just like randomly generating the password for a user (which has been used quite a bit in the past - and most of the time, it meant that you simply kept the registration e-mail in your mailbox).
Clicking on a link isn't a free action - the user is passing some information from his e-mail interface to you. Sure, most of the time nowadays this only means a referral, but that's still a piece of information.
The main problem I see, however, is that you expect the user to click a link in an e-mail you send to him. Most people don't read the links - they just click them. So someone can easily send an e-mail to everyone registered on your site (the recipient has no way of knowing it's really you), and send them to whatever site they want - because you've taught your users that clicking on links in your e-mails is just fine and to be expected. And then you give them the option of YourAwesomeSite Toolbar! and they install it, because they trust you. Or you use a security bug in Flash or Java, whatever.
Remember, people are always the weakest link. They know they're supposed to treat their passwords as a secret. They don't know that anyone can send an e-mail that pretends it comes from you.
Oh, and from user experience point of view, this is just silly. I don't want to login to my e-mail and search for one specific message just to login to your site - that's a great way to simply stop using your site. You may think that it's fine to just keep the user logged in, but that's something I only do with very few sites - I tend to avoid persistent sessions (and saving passwords). And as for your Facebook example, indeed, I only open it in a separate browser and in an anonymous session - the same as with any other annoying tracking site. Consider if you had to login to Facebook by clicking an e-mail link - do you see the problem with that now?
I think mostly because a password is a secret infomation and an link isn't, the user (and the tool used by the user) can easily identify it at an information they are supossed to protect and not share with everyone.
in theory your method isn't worst (in practice it have some flaws) but using anything other than the standard isn't user friendly.
We start using your method (facebook, google, etc...) but the reason for this isn't security but data-collecting for provider, simplicity for programmer (which can provide more security)
Another thing : a password authentificate the user, an email authentification the email provider, for most usage it is ok (you trust your email provider with a lot of sensitive information) but if you want to assure than only the user can access the information it is clearly a flaw (this one is mostly theoric cause the user will always need to trust the tool he use : hardware, software).
As a mobile user it would be a pain for me if I had to switch out of my browser app and open my Gmail app every time I wanted to log in to your site. In IS there always has to be a balance of security and usability - you can have the most secure system in the world, but it means nothing if nobody uses it. A password does not take me out of the browsing experience in the way that having to open an email would.
