[adastra22]

> Essentially every service that would be inclined to use magic links would already have a way to reset your password entirely once the email is compromised

Well, don't do that.

[lolinder]

Do you have an alternative proposal for letting users back into their accounts when they inevitably lose their passkey? Because if you don't, this isn't a serious answer.

[adastra22]

Password, not passkey. Recovery codes should be setup on account creation, but recovery of the password manager itself is what is required, and that usually has its own recovery mechanism.

Social key recovery is an underutilized solution as well.

[madeofpalk]

How do you do account recovery when you lose a password or MFA token?

Of course, any website's auth system is as weak (or strong) as their recovery process. Different sites will implement this differently.

[lolinder]

Typically by email, which OP says "don't do".