[yawaramin]

> Magic links without an OTP fallback are more secure as the initial setup process because they can't be phished...but it's much harder to get them to provide the link to them.

It's not that much harder. 'Due to security reasons, please copy and paste the entire link that we just sent you into the following input box. If you don't, your account will be compromised!'

[lolinder]

That's way harder than just asking someone to do the exact thing that they've already done over and over on your legit site. Sure, some will still fall for it, but the bite rate will go way down.

[yawaramin]

Phishing attempts by definition create artificially urgent abnormal situations whose job it is to convince the intended victim that they're legitimate. A difference in degrees like this strikes me as not really something to haggle about. Users who fell prey to the attack aren't going to be reassured on hearing how much more unlikely it was.