(no title)

That assumes the user can click the link on the phone. The reason a user might be "using a shared/public computer out of necessity" might be because the user does not at that moment have working Internet on the phone. For instance, the user might be outside the home area without a roaming agreement, or the user might be out of prepaid credits on the phone.

That's kind off what Microsoft does in Microsoft Authenticator. It doesn't ask for password, it sends notification to you phone app and asks you to tap "65". The app then shows 3 numbers, one is 65. You log in on the other device after tapping. No passwords entered at all.

They did a nice job on that one.

We did this for Mozilla Hubs (hubs.mozilla.com) specifically so people can easily sign in from within a VR headset which doesn't have a password manager and which is hard to type in.

However, the problem is that this goes so much against user expectations it just confuses people and they end up going through the grueling version of typing the long link in by hand in VR since they can't imagine it could be as easy as opening it on their phone. (We of course, call this out in the prompt, but nobody reads that.)

What if we just allowed sending one-time links not only via mail, but via Telegram, Whatsapp, Messenger, Signal and a bunch of other options?

As a counterpoint to this, I quite dislike this approach, especially when the auth is a link instead of a OT2P, because now whatever I am accessing has metadata and can cross-correlate data from other providers about my phone. Amazon is one in particular that I experience, and I never click the link, and rather just type it out by hand on the system I am already trying to log in via.