I’m curious. What is link-only login?

A link is generated, emailed to the user, and clicking the link logs them in.

I.e. what Facebook does if you don't log in for long enough. Two days ago I got a pair of messages to the same address with links to completely bypass login and verbiage about how they'd seen I was having trouble logging in followed an sms message with the same to a phone number they're not supposed to be using. It looks a lot like phishing, but it comes out of Facebook's servers and they've done it to me before.

> to a phone number they're not supposed to be using

What do you mean?

I'm not the poster you're replying to, but: Facebook collects asks for your phone number for security/account recovery reasons, but then turns around and uses it to market to you.

... and some sites use it instead of passwords, i.e. there are no passwords at all, only email links.

So SSO but you have to trust the email provider instead of another random SaaS

Basically. Most websites already make you login with an email and verify you have access to that email and use the email as a password recovery mechanism. May as well just use the email itself as the login.

Of course if everyone did this, then all of your logins would have the same password (your email login).

This sounds more or less like OTP.

It does, but usually you also get a long-lived cookie and does not need any setup on the user side, so is nice for the non-technical users.

Spotify use this