In any case I don't think it's a high level security issue; most people would probably implement their own sending by the time it is in production. More like something to think carefully about
SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).
