I always forget how stinking nice password manager autofill is until I have to fight with magic links because some service hates me. And most implementations I've seen only log you in from the new link the email sent, not the original page. So if you are trying to log in on a device your email isn't signed in on, you get to type the entire thing in on your second device.

> And most implementations I've seen only log you in from the new link the email sent, not the original page.

Probably because:

- Bad actor A attempts to login - User B sees the email and unthinkingly clicks the magic link - Bad Actor A now has access.

There are probably ways around this (browser session/cookies/IP/etc must match?) but that'd be a common enough scenario...

Common enough that e.g. Microsoft Authenticator switched from sending a notification that you can tap to approve/reject (same as scenario above) to needing to enter a 2-digit code that you also see on the webpage (so without seeing Bad Actor A's page you cannot enter the code and approve their login).

More times than I would like, I have had to manually type out some ludicrously long secret key/token/url. Could we please standardize on only using long strings that do not require il1o0 in them? I suppose it is a failure of Latin or the default fonts with which I am frequently stuck, but it would save me a minor bit of life aggravation.