[jiveturkey]

They are generally secure. Password reset typically uses email as the sole factor. So it's no less secure than that, which is generally considered necessary and secure.

In an enterprise setting, access to email can be made to require MFA. The email loop itself, to major providers, is generally secure.

[prash_murali21]

Yes exactly. If the email itself doesn't require MFA, you can always add MFA on top of email magic links.

[jiveturkey]

You mean the SaaS can add their own MFA? No, they can't. If you do that, you have no reasonable way to recover accounts. You get down the rabbit hole of extremely difficult UX, vs easily bypassed MFA. Once you add MFA, you cannot allow account recovery without it. This is the still-hard part of MFA.

By the time you go through all the rigamarole, you're just better off forcing your customer to manage their own MFA.