TrickMe: I think using the e-mail address as login data is a mistake and a username (not the username displayed to buddies and friends, a own login-username) should be used instead.
What you say is true. The email address or the username provide very little added security. They are mostly used as user identifiers (that is, pointing to
which password field to compare to).
What you suggest is more similar to having
two passwords that you need to enter to log in. That is certainly
not less secure. But is it worth the inconvenience? Let us see:
Most users would handle their "secret code" the same way they handle their current password: they would memorize it and type it in at each login, use their password manager or paste them in. That means that in the situations where the regular password fails, they
both fail together (e.g. key loggers, system breach, shoulder surfing).
Would this make the system safer? I think so. But not by that much. But that is the trade-off between security and convenience. It seems you cannot have both.