All those SMS login links may not be a good idea.
A paper published last week has found more than 700 endpoints delivering such texts on behalf of more than 175 services that put user security and privacy at risk. One practice that jeopardizes users is the use of links that are easily enumerated, meaning scammers can guess them by simply modifying the security token, which usually appears at the right of a URL. By incrementing the token—for instance, by first changing 123 to 124 or ABC to ABD and so on—the researchers were able to access accounts belonging to other users. From there, the researchers could view personal details, such as partially completed insurance applications.
In other cases, the researchers could have transacted sensitive business while masquerading as the other user. Other links used so few possible token combinations that they were easy to brute force. Other examples of shoddy practices were links that allowed attackers who gained unauthorized access to access or modify user data with no other authentication other than clicking on a link sent by SMS. Many of the links provide account access days or even months after they were sent, further raising the risk of unauthorized access.