We are on the same page about magic links. Email is also not a super-reliable medium of communication. Email can arrive straight into the junk mail, late, or even never. I think magic links should be strongly discouraged for serious projects, businesses, and government. Passwords and application-based MFA (not SMS or Email MFA) or webauthn/passkeys are much better.

This whole discussion started when @meindnoch wrote ">Sign in or create an account with your email. Into the trash it goes.".

I think magic links are acceptable for a small solo developer project. Expecting a solo developer so shoulder the burden of rolling their own auth, paying for an auth service, or self-hosting an containerised auth-service and wiring their application to it is a bit much for a tiny project like this.

Anything more than a small solo project should graduate to a better solution- I hope we can all agree with that.