From what am I reading, magic links require users to provide their email and the user will be sent an email with the link to sign-in, and the users can use this link to log into the system.
Can this be called authentication? What we are validating is only the possession factor making the person has access to the email, no where we are confirming the user identity.
How safe it is to validate only the possession factor of authentication. Anyone who knows my email can request sign-in link on my behalf
Can this be used with public emails like gmail, yahoo?
If this is considered a form of authentication, can it be compared to the
authorization_codeauthorization grant in OAuth? Is the unique code in a magic link comparable to the