Magic/tragic email links: don't make them the only option

[portaouflop]

Many email clients will click the link and invalidate it - for example outlook is a classic here - so the best implementation does not use redirects/links at all.

OTP is far better than an actual magic link - you can still include a link that pre-fills the code.

[Spivak]

Yes but clicking the link itself shouldn't log you in. Any implementation of magic links that does this is broken because of link previews.

You click the button on the page which knows the session you're logging in from and link code and does a POST which completes the login. This is how all the "login by scanning QR code" flows work.

[portaouflop]

I see - but then you can just use OTP instead - it works in the same way and you can even use it cross device