Debunked how? It seems the consensus is that it’s just as secure as using a username and password and allowing the user to reset via email. It’s been discussed here a few times.
You have zero control over how their email is handled - and you're providing a way to login, no questions asked, with just access to their email.
The usual "argument" about email resets is irrelevant - a password reset (a) doesn't have to be fully automated, (b) doesn't grant invisible access to an attacker (c) should leave an obvious audit trail
The usual "argument" about email resets is irrelevant - a password reset (a) doesn't have to be fully automated, (b) doesn't grant invisible access to an attacker (c) should leave an obvious audit trail