Password Reset Flow as Login?
I'm thinking about making an authentication workflow where you just ask for one time login link and it gets sent to your email/phone, you click it and get your session. Any reason this is a Bad Idea™? It's for a not super critical service and users might go a couple months in between uses so I was thinking it'd be nice to not give them a passwordless option.
What happens when the users phone or email is hacked or compromised? What if they lose access to that email address, or get a new phone number? Email and SMS are not secure (despite the use of SMS for 2FA).