I'd argue at this point that magic links are more secure:
1. Nearly every online service needs some sort of "forgot password" flow, and often times that flows boils down to what is essentially a magic link like TFA is about.
2. The vast majority of users these days use either personal email accounts from one of the big providers (Google, Yahoo, MS), or they use corporate accounts often through a hosted solution. 9 times out of 10 I'd bet the email provider has better security than whatever rinky dink website you may be creating an account on.
Emailing magic links is essentially "poor man's SSO". It makes much more sense IMO to have super secure email accounts (e.g. ideally with passkeys) and then just use magic links for everything else.
Learning how to password effectively is something that comes up in B2B in many non trivial software.
Magic link is effectively passwordless login, behind a facade outsourced to a third party provider.
Passwords are much more actual consent, than clicking on a link in an email account that might be open on a screen or device... not always.
SSO is technically easier than poor man's sso, it's just one click once logged in. Magic links make me switch a screen to make it easier for the developers of Magic Link to not implement SSO.
Fingerprints are a username, not a username+password. It's super convenient, but well established not secure.
Face-ID logins are more a username, should not be a username+password - selling it as secure is not ideal, but it is super convenient.
SMS verifications too, are a little weak, since SMS' generally are like post cards. But they are very convenient. Until someone does something to get malware into your phone, or your phone number itself which seems to happen so often.
Now, magic links are very convenient. And definitely can remove friction to you know, get a user onboarding to the point of adoption.
1. Nearly every online service needs some sort of "forgot password" flow, and often times that flows boils down to what is essentially a magic link like TFA is about.
2. The vast majority of users these days use either personal email accounts from one of the big providers (Google, Yahoo, MS), or they use corporate accounts often through a hosted solution. 9 times out of 10 I'd bet the email provider has better security than whatever rinky dink website you may be creating an account on.
Emailing magic links is essentially "poor man's SSO". It makes much more sense IMO to have super secure email accounts (e.g. ideally with passkeys) and then just use magic links for everything else.