I think the "click a link in the email" solution is more than a "tiny" bit better isn't it? It almost completely solves the attack pattern you laid out. Passing the whole link to BAD is not only more tedious but totally ridiculous. That is not the kind of thing that even totally naive users would do.

And there is a significant benefit of not needing to worry about weak or repeated passwords, password leaks etc.

Overall that pattern feels significantly better to me than a normal password system, and MUCH better than the "we'll send you six digits to copy and paste" solution.