A while ago, I implemented a signin approach that looks similar to this "send a link/code" mode but (I believe) can't be exploited this way - https://sriku.org/blog/2017/04/29/forget-password/ - appreciate any thoughts on that.

Btw this predates passkeys which should perhaps be the way to go from now on.

One problem is you are requiring users to trust and click on a link in an email which is historically frowned upon. So you are undercutting phishing education.