seems like all you need is a bit of middleware.

1/ if user is logged in, check whether the cookie is available already, and if it's not, redirect to route /emailguard or something 2/ in your routes file, route /emailguard to your controller method for your guard. 3/ in your controller method, you generate the code, and have it sent to the email user; you also generate the view to the browser telling your user that you dispatched an email and that he needs to enter the code that he finds in that email. 4/ user fetched email, completes the form, which you treat and you create the cookie, and log in the user.

It is in fact two factor authentication, only you are using the email rather than the SMS, or a smartphone app.

For added security, you could also just send a LINK to the email user that has a more advanced hash of the code to "complete the login". Also make the link valid for only a limited time.

Good luck with the project - shouldn't be too hard to build this.