[jjav]

Login via URL ("magic link") is about as insecure as it gets. You can do worse, but have to try.

Password reuse is bad because it allows compromising one site if another one is compromised. By sending someone a URL to login via email, now you've effectively forced password reuse of their email password as the site password (because obviously, if someone gets access to email they also get access to the emailed links).

[prash_murali21]

I believe we have to view from the context of how most sites do auth, which is email + password with an 'email recovery' for the password. This is effectively the same thing with worse UX and an added attack vector of the password for the site being compromised.

The point on password reuse I agree with, but flakiness here is that there do unfortunately exist dodgy sites without TSL and without password hashing and salting in place. This overall increases the probability of a breach and since re-use is common the supposedly secure sites become vulnerable too. At least with email, most major email providers have some level of securing the email (example 2FA involved when attempting to login from a different device).

If the comparison is between email magic links and a site that offers email / password with no recovery at all or "secret questions" as the means of password recovery, which I haven't seen in years, that's a whole other debate all together.