Right, but an expiring, single-use link that will send a second email saying "someone from X place just logged in, so contact us if this wasn't you" is still good enough in most cases. To see that, ask which sites will send you a password reset mail when you forget your password. My bank certainly won't -- I have to talk to a person -- but most others do, making their passwords useless.
This is not necessarily through email. I was referring to the scenario where the the user has both screens open and is being shown the token on one and typing it on the other. I agree about the insecurity of email.