Thanks for pointing this out! I did mention it in my article, but didn’t go into it in detail:
(In fact, “Forgot Password” is clicked so often that some websites like Medium don’t even use passwords. They email you a one-time “sign in now” link in place“reset password” one.)
I actually find the system very convenient. I have one strong (I hope!) password for my email, and all the other logins can be managed from there.
In most cases, I don’t even think it would “increase that attack vector”. Most accounts are already connected to email, since that’s where the “Reset Password” links are sent. If an attacker gains control of your email account, then they can reset your password as easily as they would click on a ‘magic link’.
The only difference is that you’d get a notification somewhere else if someone reset your password, whereas if they used a ‘magic link’ and deleted the email after that, you would have no direct way of finding out about it (short of realising your email’s been hacked into).