So if someone gains access to your email, they also get FB access…?

Yes, these are often referred to as "Magic Links."

When it comes to the security implications, consider that email has long been a "single point of failure" for a lot of services in the form of the "forgot password" feature that emails you a link to reset your password.

When I'm talking to non-tech people in my life about how best to protect themselves, I usually tell them to think about priorities and disaster scenarios. What would suck the most if it got hacked? The two that are usually at the top of the list for pretty much everyone are email and online banking. Others might include Amazon accounts (hackers can order themselves gift cards with your CC if compromised etc.) Prioritize securing those with a strong password + MFA. The rest is case by case but make sure to use a password manager so you're not reusing passwords.

I have never seen a use of a Magic Link that wasn't because I asked the Magic Link to be sent to me. Never, ever had one sent to me in a marketing/engagement email.

Facebook is able to realize outsize cross-web tracking benefits by having you logged in as long as possible. Few other companies are able to realize comparable benefits because they don't have the same ad-serving aspirations coupled with "Login with Facebook" reach.

Google is comparable, but it's too risky for them to have so many magic links hanging around in customer inboxes, because Google identities tend to be tied to far more sensitive 3rd party applications. Which is not to say that there are no sensitive applications with "Login with Facebook", but I'll argue there are fewer.

Yes, but that's pretty common for most services.

Clicking "forgot password" typically sends you an email prompting to set a new one; this is similar, in a sense.

They'll probably make you reauthenticate as soon as you do anything, but who knows...

Thats usually how password reset emails work.

> So if someone gains access to your email, they also get FB access…?

I mean, that's how it works for most websites. I think I have 2FA turned on for FB, but honestly the phone system is way less secure than email at Google/Microsoft.

Yeah, I gathered as much, but still, just a single URL to an email address to log me in? What about my 36 char password and my 2fa app?

Edit: I just found I didn't set up 2fa. I wonder, if I had, would they still do this? Then it would have just blatantly ignored my second factor...

They want control over the post content (in case it's deleted, edited, etc) and also track your interaction ASAP, so they link it instead of embed.

You will be asked to authenticate if you try to do anything.

Just checked, I am fully logged in in a clean ddg browser session, and can accept friend requests, etc. But I don't have 2fa enabled.

It may be that the link only worked once. Try again after logging out. Does it work?

Clicked it again, it says: The link you clicked may have stopped working or the page has been moved.

Can still log in as often as I want into clean browser sessions. Even when I log out, clean the session, tapping the url logs me in again.

And every time FB sends me an email: "Someone logged in from some location, was it you?"