top | item 42632763

(no title)

>absolutely worse from a security perspective than passwords

Is it though? Majority (if not all) services I frequently use have email as recovery option for forgotten passwords.

discuss

It is certainly not all, and most security conscious sites offer other recovery options like one time use codes. Many also allow for time delayed account recovery, which aren’t a usable option for magic links.

In any case the correct approach here is to fix password reset/account recovery (e.g. with social key recovery) rather than reduce everything to the lowest common denominator.

It also can be said to lower security because it instills the behavior of clicking on links in incoming emails as a standard practice.