Millions of people are at risk of scams and identity theft due to websites that authenticate users through links and codes sent via SMS, according to recently published research. The practice, intended to simplify the login process, leaves users vulnerable to a range of crimes.

The research paper, released last week, identified more than 700 endpoints delivering such texts on behalf of over 175 services. These services span various sectors, including insurance quotes, job listings, and referrals for pet sitters and tutors. Instead of requiring users to create and remember usernames and passwords, these services ask for a cell phone number during signup and then send authentication links or passcodes via SMS when the user wants to log in.

A key vulnerability lies in the use of easily enumerated links, the paper found. Scammers can potentially guess these links by modifying the security token, which is typically found at the end of the URL. This allows them to bypass the intended user and gain unauthorized access to accounts.

"The ease with which these links can be manipulated is alarming," said [Expert Name], lead author of the study and a cybersecurity researcher. "It opens the door for malicious actors to compromise user accounts on a large scale."

The reliance on SMS-based authentication has grown in recent years as companies seek to streamline the user experience. However, security experts have long warned about the inherent risks of using phone numbers as a primary authentication factor. SMS messages are not encrypted and can be intercepted or spoofed.

The research highlights the need for stronger authentication methods, such as multi-factor authentication (MFA) that uses a combination of factors, including something the user knows (password), something the user has (phone), and something the user is (biometrics).

While the paper did not name the specific services affected, it urged users to be cautious when clicking on links received via SMS and to enable MFA whenever possible. The researchers also called on companies to adopt more secure authentication practices to protect their users from potential harm.