Log in links now coming via SMS too

Your concerns sound perfectly reasonable, no doubt Monzo’s user’s are being targeted by phishing attacks and some of those will succeed. In my opinion though, it’s likely that the successful attacks will have got past users who don’t understand the security risks of clicking links (in emails or elsewhere) anyway.

And even if Monzo changed it’s verification method, other companies wouldn’t so trying to teach users not to click links (in emails or elsewhere) does seem a little futile. The only reason why Monzo’s links are ‘worse’ is because they’re being used for authentication. But the authentication emails are only being sent when they’re explicitly requested - people will make the association between emails they request & safe links, not just all links.

While this information

will only be published annually, Monzo will obviously be keeping a close eye on the number of account breaches that users experience & if that’s higher than average I’m sure the approach will be changed.
In the meantime, personally, I would prefer to use magic links because I’m confident that it’s not going to decrease the security of my account.

Can we opt out of this? If login links are sent via SMS, then the security on my bank account is only as good as my mobile phone company’s security, which is generally pretty poor. It’s all too easy to hijack someone else’s mobile number and get their SMS messages. NIST in the US has recently recommended against using SMS for two-factor authentication for this very reason. Your login method requires a secure and verified channel between you and the user, and SMS isn’t good enough for that. (Email is also a bit dodgy, but at least there are things I can do to secure my own email, even if most of your users probably don’t.)