> they marvel that it's somehow OK to email magic login links to people, but not to SMS logins
The answer here is that, even if you aren't emailing magic links, you're emailing magic links: the "forgot my password" flow is effectively a magic login link, because it uses your email as your single authentication method. There's then no additional loss of security if you use magic links instead of passwords.
The answer here is that, even if you aren't emailing magic links, you're emailing magic links: the "forgot my password" flow is effectively a magic login link, because it uses your email as your single authentication method. There's then no additional loss of security if you use magic links instead of passwords.