The reassignment of an inactive phone number from one subscriber to another by a mobile operator. In identity systems, this becomes a security issue when applications keep trusting the number after ownership changes, because the old recovery path can reach a new person.
Expanded Definition
Mobile number recycling is the telecom practice of reissuing an inactive number to a new subscriber after a grace period. In identity and access management, the security problem is not the recycling itself but the stale trust many systems place in a phone number as if it were a durable identifier or recovery factor. That assumption breaks once the number is reassigned, because SMS-based resets, one-time passcodes, and account alerts can be delivered to the wrong person.
Definitions vary across vendors on whether the risk should be described as account takeover, identity proofing failure, or recovery-channel weakness, but the control issue is consistent: a phone number is a mutable telecommunications asset, not a persistent identity proof. NIST guidance on digital identity and the OWASP Non-Human Identity Top 10 both reinforce the broader principle that recovery paths need lifecycle-aware controls, not static trust. The most common misapplication is treating a recycled number as proof of continued account ownership, which occurs when applications do not re-verify the user after the number is reassigned.
Examples and Use Cases
Implementing number-based recovery strictly often introduces user friction, requiring organisations to weigh convenience against the risk that a recovered account will be handed to the wrong subscriber.
- An online bank sends password reset codes to a mobile number that was recycled after a customer changed carriers, allowing a stranger to intercept the recovery flow.
- A consumer email provider keeps trusting SMS alerts as a “known device” signal, even though the number now belongs to someone else.
- An enterprise help desk uses mobile numbers for identity verification during support calls, then fails to notice that the number has been reassigned.
- Security teams reviewing recovery-channel design can compare that practice with the lifecycle discipline described in the NHI Lifecycle Management Guide, because the same offboarding logic applies to stale trust in credentials and identifiers.
- Product teams building authentication flows can use NIST digital identity guidance to decide when a phone number should be treated as a contact method rather than an authenticator.
For teams mapping broader credential hygiene, the Ultimate Guide to NHIs is a useful reference because stale trust in any identifier creates the same operational blind spot.
Why It Matters in NHI Security
Mobile number recycling matters because identity systems often reuse the phone number as a fallback channel for humans and service operations alike, even though it has no inherent permanence. When that assumption fails, attackers can hijack recovery workflows, intercept MFA codes, or receive sensitive alerts. The NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, and the same lifecycle failure pattern appears when recovery channels are left attached to identities after ownership changes. The risk becomes more serious when organisations rely on SMS as a second factor, because a recycled number can silently undermine both account recovery and step-up verification.
This issue is also visible in broader secret-handling failures documented in the Top 10 NHI Issues and the Guide to the Secret Sprawl Challenge, where stale credentials and stale contact points create the same exposure pattern: access persists longer than it should. Organisational controls should therefore remove phone numbers from high-trust recovery paths, require re-proofing after reassignment risk, and prefer phishing-resistant authenticators where possible. Organisations typically encounter the operational cost of number recycling only after a takeover, at which point the recovery channel becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | AAL2 | Digital identity guidance addresses recovery-channel trust and authenticator re-binding. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Stale recovery trust mirrors the secret and lifecycle weaknesses this top 10 targets. |
| NIST CSF 2.0 | PR.AC-7 | Identity verification and authentication must account for changing ownership of identifiers. |
| NIST Zero Trust (SP 800-207) | SC.L3-3 | Zero Trust requires continuous verification instead of permanent trust in a contact factor. |
| NIST AI RMF | AI systems that use phone numbers in user workflows need contextual risk evaluation. |
Classify recycled-number exposure as a lifecycle risk and monitor authentication decisions for stale identity signals.