One of the principal actions over the internet is authentication. Authentication, not to be mistaken for authorization, is the process an application goes through to confirm that a supposed user is actually who they claim they are.

Basic authentication (pun?) involves the user providing a combination of username and password. Sometimes email address is used in place of username. These username/email and password combination are provided during signup.

If a user ever forgot their username or password, a way to get them back into their account is to confirm if the user have access to the associated email address.

To do this some platforms send a reset link to the email, expecting the user to click and thereby get confirmed to be the legitimate account owner and thereby allowed to reset the password.

Another way is that OTP is sent to the email address and the user is expected to enter it correctly into a form on the platform.

I have built solutions that employ both methods and from my experience with web security and vulnerabilities I will say OTP is the better option. Why?

With reset links some email clients will not make it clickable by default, leaving your users stranded but for a few that understand that they can copy it.

Unless there's a kind of that has to be performed on the page the link directs to, then we cannot be so sure of who clicked, and why it was clicked - it might be a wrong email and the receiver mistakenly pressed the link from mailbox.

Receivers of link are susceptible to being phished, and some conscious users would be reluctant to click.

OTPs are discrete, they cannot be broken like links, and the platform can be so sure that the verification was accurate to the tune of 98%>

Which one do you prefer?