It is probably the best solution if you can't/won't do real MFA.
Changing passwords relies on mail 99% of the time anyway. So if you are using mail+password to authenticate, you are basically doing magic links with extra steps.
Yes. For some people product owners don’t want to hear this. If having access to email means you can access the account then don’t prance around that with complicated recovery steps.
Changing passwords relies on mail 99% of the time anyway. So if you are using mail+password to authenticate, you are basically doing magic links with extra steps.