They did not do away with the second password. It is now a trade password.
They now have a varification e-mail sent to the registered e-mail account. So if someone tried to hack an account, they would need that varification e-mail from the e-mail adress.
BUT They do have a flaw... to change your e-mail adress, you dont even need a varification phrase from the old e-mail. They need to make it so an email is sent to the old email first.
This is probably a bug, you should report it right away.