But I think with email login links you have one of several problems:

1. How do you know the email is for a session you actually initiated? In the extreme case, imagine maliciously triggering a login a link for 100,000 users. How many will click the link and get their account taken over? I bet it's nonzero (what's the minimum net you must cast to get access to one account?)

2. Or, what about various software that automatically previews links? A GET request is not secure for this purpose

3. But if you are instead suggesting a link takes you to an authenticated session (rather than authenticating an arbitrary session) now you have the problem that you must log into your email on the device from which you wish to access the account