It becomes too weak when a single phone signal is treated as proof of identity for every use case, especially account recovery or sensitive access. Shared devices, recycled numbers, and disputed ownership reduce assurance quickly. Once those conditions appear, teams need a stronger fallback path instead of forcing completion.
Why This Matters for Security Teams
Phone-based identity is often used because it feels simple, but simplicity can hide weak assurance. A phone number can be shared, recycled, forwarded, or ported, which means it does not reliably prove that the person at the other end is the same person who enrolled. That risk grows sharply when a phone signal is used as the only factor for account recovery, prescription access, or onboarding into regulated services.
For patient onboarding, the question is not whether phone verification works at all. The real issue is whether it provides enough assurance for the specific action being taken. Current guidance suggests that identity proofing should scale with risk, not convenience. The same logic appears in stronger identity and fraud controls, including the FATF Recommendations, which treat assurance as contextual rather than binary. NHI Management Group’s Ultimate Guide to NHIs also shows how identity failures become dangerous when credentials or identifiers are treated as durable proof instead of one control among many.
In practice, many security teams encounter phone-based identity failures only after a recycled number, SIM swap, or shared-device scenario has already been used to bypass a recovery flow.
How It Works in Practice
Phone-based onboarding usually works best as a low-assurance signal, not a final identity proof. A code sent by SMS may confirm possession of a device at a moment in time, but it does not confirm stable ownership, private control, or resistance to number reassignment. That distinction matters in patient workflows where the wrong person gaining access can expose clinical records, insurance data, or messaging channels used for care coordination.
Security teams should separate contactability from identity assurance. Contactability means the organisation can reach the user. Identity assurance means the organisation has enough confidence to grant a specific action. For lower-risk use cases, a phone number can still help with notifications or step-up prompts. For higher-risk use cases, it should be combined with stronger evidence such as government ID checks, knowledge-based checks where appropriate, document review, or in-person verification depending on jurisdiction and risk tolerance.
Phone-based onboarding also needs a defined fallback path. If a patient changes carriers, loses the device, or inherits a recycled number, the organisation should not force the person through the same weak channel. Instead, it should route them to a recovery path with stronger evidence and manual review where needed. That approach aligns with risk-based identity practices described in the NIST identity and access management guidance and with the broader identity risk lessons in 52 NHI Breaches Analysis, where weak trust in a single control often enabled broader compromise.
- Use phone signals for convenience, not as sole proof for high-impact actions.
- Escalate to stronger verification when account recovery, PHI access, or payment activity is involved.
- Track number recycling, porting, and shared-device risk as identity threats, not just telecom issues.
- Define a non-SMS fallback path before a failure occurs.
These controls tend to break down in high-volume self-service onboarding where operational pressure pushes teams to accept a single phone factor as sufficient proof.
Common Variations and Edge Cases
Tighter identity verification often increases friction and abandonment, requiring organisations to balance enrolment speed against fraud resistance and regulatory exposure. That tradeoff is real, especially in healthcare access where patients may need fast digital entry but the downstream impact of misidentification is severe. Best practice is evolving, and there is no universal standard for exactly when phone-based identity becomes too weak.
Several edge cases change the answer. Prepaid numbers, family-shared phones, care-giver-managed devices, and patients with unstable housing can all make phone possession a poor proxy for personhood. In those cases, a phone may still be useful for communication, but it should not carry the full weight of onboarding assurance. The same caution applies when onboarding is tied to sensitive privileges such as portal messaging, medication history, or proxy access.
Organisations should also distinguish between authenticating an existing user and proving identity for first-time enrolment. A phone number might be acceptable for routine login step-up in a low-risk setting, but it is usually too weak when the process creates a new medical identity, resets recovery controls, or unlocks sensitive records. NHIMG’s Top 10 NHI Issues and the broader Ultimate Guide to NHIs both reinforce a core lesson: identity controls fail when one weak signal is asked to do the work of a full assurance program.
Where regulated onboarding depends on durable identity proof, current guidance suggests treating phone-based methods as a supporting factor only, not the final gate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access decisions must match onboarding risk. |
| NIST SP 800-63 | IAL2 | IAL guidance maps directly to identity assurance strength during enrolment. |
| NIST Zero Trust (SP 800-207) | Zero Trust rejects implicit trust in a single weak factor like SMS. | |
| NIST AI RMF | GOVERN | Governance is needed to define acceptable assurance for patient onboarding. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak credential and factor handling can enable account takeover through phone-based flows. |
Set onboarding assurance level by risk and add stronger verification when phone evidence is insufficient.