This seems like brad coming up with a list of things that annoy him, without any data to back it up. I also like using password managers, but all that really matters are the results that services get from different flows. Magic links, for example, have almost certainly been a/b tested by the services using them, and most likely lead to better outcomes. There are a lot of genuine issues with passwords that password managers solve, but I would guess most people still don't use a password manager. For this kind of thing, doing experiments and following the numbers seems like the only way to do it. Why trust your gut when you can so easily get real data?
I think you and Brad are making different arguments. I think you're both right in different ways.
You're correct that convenience features like this, despite undermining password managers and interrupting power-user security practices, create positive business outcomes. Ditto for things that win A/B tests.
But user experience != business experience. Positive business outcomes don't imply that users are being maximally well served under the winning system. Example: anything by Comcast or Verizon.
---
Separately, I believe in the case of Notion specifically, their use of emailed unique strings in place of passwords is a security decision made by them to avoid storing credentials, which they consider riskier than the magic links. While I find this tedious as well, I respect the decision and it's not a frequent PITA.
The magic link / Notion example is completely lost on me.
"The pattern is incredibly tedious"
That's the point. You log in to your email to log in to your Notion. It's not 2FA, but maybe there should be some other term for it (like External Factor Authentication). I think unifying all of our logins against our email would be a step forward, not backwards. Then, sure, use your password manager for your email log in.
"This doesn’t work at all with password managers"
Yes, because there's no password to manage. Even if password managers end up supporting this flow, that'd require email access, and that seems like a Bad Idea™. Funnily enough, I'm sure that if password managers started supporting magic links with email access, UX people would rejoice even though it's a security concern.
"It forces users to learn a new convention"
Yes, it does. Granted, the Notion flow could be easier by injecting the temporary password into the log in URL, such that the end-user doesn't have to copy and paste it over.
