Thank you @fantasticfears for lying the ground work here! I made some changes as to how error messages are displayed and made the rate limits more aggressive for the new routes.
As per @sam’s request, the feature is also off by default and can be enabled via enable_local_logins_via_email
site setting.
https://github.com/discourse/discourse/commit/03b3e57a44da228bca7296bd752e26447956e1d6