If you send links with a secret login token with email, then they should be single-use and expire rather quickly.

If the link can only be used once with a short expiry time and no info in the link can be used to derive secrets in the session it creates then you should be fine. Effectively, the link serves as an one-time password.

If so, then how is sending a link for password reset any more secure? Isn't logging-in using a magic link the same thing as sending a magic link for resetting a password?

A given secret from an authenticator SHALL be used successfully only once.

We now take an opinionated stance on which second factor you should set up first – you'll no longer be asked to choose between SMS or setting up an authenticator app (known as TOTP), and instead see the TOTP setup screen immediately when first setting up 2FA.

Fortunately, we found RingCaptcha (https://ringcaptcha.com), which has a the 'starter plan' that offers free 500 OTP monthly. Just a small plug for them for providing freemium service; they are highly reliable because they are integrated with all major global, and regional providers, e.g., Twilio, Nexmo, Infobip, MessageBird, etc., and send your OTP through the best provider/route based on country/phone carrier, and can auto fallback to alternative paths. This means you just need to integrate with RingCaptcha, without the headache of deciding which SMS/voice OTP provider has best combination of price and reliability, which is a real headache when you are sending OTP world-wide.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.