Links are more worse than otp but both can easily be secure if users check domain which users never do so links and otp are terrible. Long live passkeys.
To be fair, can we blame them? There are so many legitimate flows that redirect like it’s a sport. Especially in payments & authn, which is where it’s most important. Just random domains and ping pong between different partner systems.
