[sriku]

It is one way to go "passwordless" .. though you're piggy backing on the security that your email system already has.

Shameless plug of old post that describes how to restrict login to only the initiator even if login is initiated via an email link - http://sriku.org/blog/2017/04/29/forget-password/

[daveFNbuck]

You're relying on your email security either way, since anyone can trigger the password reset email if they get access to your email account.

[DalekBaldwin]

This breaks my workflow -- I almost never open the forgot-password email on the same machine I used to initiate the request. Usually I need to briefly access a personal account from somebody else's computer or my work computer, and when I'm told I need to check my personal email, I only want to open that on my phone.