Comment by apitman

You are correct that this mitigates the security problems.

However, the method you're describing has fallen out of favor, in large part because mobile email apps often use a built-in browser that doesn't share cookies with the system browser. This creates several confusing UX problems. You also can't use a logged in device to log in a new device, unless you implement something like QR login which is also phishable.

Slack for example used to work the way you describe but now uses emailed codes for 1FA login.