For some prior art, Okta avoids the email link scanning issue by requiring "same browser, same device" (sessions) [1]. An OTP code is included in the email as a fallback for users receiving mail on a different device than they're trying to log in to.

[1]: https://developer.okta.com/docs/guides/email-magic-links-ove...