[definitelyauser]

"Secure" is relative.

I have a system I use where you enter your email and get a one-time code.

The goal in that system is not to securely authenticate you, merely to identify you. "Good enough" for the use case.

[remram]

In this case you might as well send a very long token, since it's going to be copy/pasted. TOTP codes are rather short. Or better yet, send a link to login: this can be made to work cross-device (copy/paste usually doesn't).