I’m not sure you would need as many security checks as standard password systems. The token link you’re sent will work only once and must be associated with the existing token you have in your browser. Even if someone obtained the link, they wouldn’t be able to use it.
As for risks of email spamming, remember that an email could only be sent to a registered user so it wouldn’t necessarily be prone to attacks. Limiting requests would be an option, though.
SMS costs could be high, but it really depends. Some services are free and it could be negligible for a small number of users. That said, I think email would be more practical in most cases.