It’s functionally equivalent to the security of the account recovery process.
So it doesn’t reuse the password, since the second site can’t lose the password it doesn’t have, but it sets the limit on the security of the login to that of the security of the email providers login.
Usually, that’s actually an improvement, since the big email providers most people use tend to enforce reasonable minimums, have good security teams, and people tend to secure their emails better than random sites.
It’s functionally equivalent to the security of the account recovery process.
So it doesn’t reuse the password, since the second site can’t lose the password it doesn’t have, but it sets the limit on the security of the login to that of the security of the email providers login.
Usually, that’s actually an improvement, since the big email providers most people use tend to enforce reasonable minimums, have good security teams, and people tend to secure their emails better than random sites.