Links are more worse than otp but both can easily be secure if users check domain which users never do so links and otp are terrible. Long live passkeys.

> if users check domain which users never do

To be fair, can we blame them? There are so many legitimate flows that redirect like it’s a sport. Especially in payments & authn, which is where it’s most important. Just random domains and ping pong between different partner systems.