[miketmahlkow]

I can second that. I prefer password logins over magic links via email. It adds too much friction. I can understand that it might be easier for people who are not using a password manager.

For most services I prefer a combination of password and authy-based 2FA. For very specific purposes, some kind of hardware-based authentication, for example with yubikeys makes sense.

[jsunderland323]

Magic links are great because they essentially eliminate ATO attacks and allow startups to bypass SAML requirements by delegating to the mail provider. I’m 100% willing to forgo efficiency gains of passwords and managers as both a user and developer.

[rkagerer]

All you're doing is punting your security to my email provider. It's annoying how many companies assume I have absolute trust in my ISP/Google/Miscrosoft/IT.

[ceejayoz]

> essentially eliminate ATO attacks

They kinda increase the blast radius of an ATO attack on your email account, though.

[jasfi]

Replying too late, most likely. But with access to your email account someone could reset your password to what they want it to be and gain access.