TL;DR: Recycled mobile numbers can redirect SMS-based login and recovery flows to new subscribers, creating account takeover and fraud exposure across social, banking, healthcare, and e-commerce accounts, according to IDlayr. The trust assumption is the problem: number ownership is not the same as SIM-linked identity, so mobile login controls need stronger binding than SMS OTP alone.
At a glance
What this is: This article argues that recycled mobile numbers create a real identity binding failure when login and recovery depend on the phone number alone.
Why it matters: It matters because IAM teams, fraud teams, and digital identity owners need controls that distinguish number possession from verified SIM or device ownership before granting access.
By the numbers:
- In the United Kingdom, mobile providers typically recycle numbers within 70 to 180 days.
- A study of 259 recycled numbers found that 215 were effectively recycled and remained vulnerable to exploitation.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read IDlayr's analysis of recycled mobile numbers and mobile identity risk
Context
Mobile number reuse turns a convenient identifier into a weak identity anchor when organisations treat possession of a number as proof of account ownership. The primary issue is not the phone network itself, but the trust model that sits on top of it: when a number is reassigned, old recovery and authentication paths can still reach the new subscriber.
For identity programmes, this is a human IAM problem with NHI-like trust characteristics because the credential is external, reused, and weakly bound to the actual subject. Once a login flow relies on SMS OTP or number-based recovery, the security decision depends on an attribute that can change hands outside the enterprise's control.
The article's starting position is typical of many consumer and employee identity designs: the system assumes phone number continuity, even though mobile operators routinely recycle numbers. That assumption breaks down fast in real-world identity recovery flows.
Key questions
Q: How should organisations handle recycled phone numbers in account recovery flows?
A: Organisations should treat recycled numbers as untrusted recovery channels unless the current SIM or subscriber identity is re-verified. SMS delivery alone does not prove ownership. For high-risk accounts, require a stronger factor before reset or step-up access, and remove any recovery path that depends only on number possession. That is the safest way to prevent accidental takeover when a number changes hands.
Q: Why do phone-number based login methods create account takeover risk?
A: They create risk because the control follows the number, not the person. When numbers are recycled, ported, or reassigned, the next subscriber can receive verification codes and recovery messages intended for the previous owner. This makes phone-number trust fragile for identity assurance and especially dangerous where the same number unlocks multiple accounts or services.
Q: What do security teams get wrong about SMS OTP?
A: They often assume SMS OTP proves identity when it actually proves message delivery to a phone number. That distinction matters because delivery can be redirected by recycling, SIM changes, or interception. Security teams should view SMS OTP as a weak, convenience-based factor and reserve it for low-risk use cases where account compromise would be limited.
Q: What is the difference between number possession and verified mobile identity?
A: Number possession means a device can receive messages sent to a phone number. Verified mobile identity means the platform has checked that the current number, SIM, and subscriber context still match the trusted subject. The difference is critical because only the second model can detect recycled numbers and block silent account takeover.
Technical breakdown
Why SMS OTP fails when numbers are recycled
SMS OTP depends on a simple but fragile assumption: the person receiving the code is the same person who originally enrolled the account. Recycled numbers break that assumption because the code follows the number, not the verified account holder. That creates a path for unsolicited account recovery, takeover, and message interception without any need to compromise the original user’s password. The weakness is structural, not just operational: the factor authenticates reachability to a phone number, not continuity of identity.
Practical implication: stop treating SMS OTP as proof of account ownership when numbers can be reassigned.
SIM binding and the MSISDN, ICCID, IMSI relationship
A mobile identity stack includes the phone number, or MSISDN, the SIM identifier, or ICCID, and the subscriber identity, or IMSI. Secure mobile verification works when these elements are checked together instead of in isolation. If a number is reused but the SIM context does not match the originally verified identity, the platform can detect the mismatch and force re-verification. That is the core difference between number possession and identity binding: one is transient, the other is durable enough to anchor trust.
Practical implication: verify the number together with SIM-linked attributes before allowing login or account recovery.
How recycled numbers enable account takeover chains
Once an attacker or unintended new subscriber receives a recycled number, the first entry point is usually password reset or SMS-based 2FA delivery. From there, the access path can extend into messaging apps, banking, digital wallets, health portals, or commerce accounts that still trust the old number. The chain works because many services use the same identifier across multiple accounts, so one reassigned number can unlock several adjacent services. This is not a single-account problem; it is an identity linkage problem across a user’s digital footprint.
Practical implication: map all services that use phone-number recovery and remove single-factor number dependency where the blast radius is high.
Threat narrative
Attacker objective: The objective is account takeover through trusted login and recovery channels that still assume the recycled number belongs to the original user.
- Entry occurs when a recycled mobile number is reassigned to a new subscriber and the new user inherits inbound SMS destined for the previous account holder.
- Credential access happens when password reset links, SMS OTPs, or account recovery messages are delivered to the wrong person.
- Impact follows as the new holder can take over accounts, redirect communications, and pivot into banking, messaging, or commerce services linked to the number.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Number ownership is not identity ownership: mobile login flows fail when they treat a recycled number as proof of continuity. The number can move, the SIM can change, and the account recovery path still points at the wrong person. Practitioners should treat phone-number-based trust as a fragile external dependency, not an identity control.
SMS OTP creates a standing recovery path that outlives the original subject: the control was designed for a world where the number and the account holder stayed aligned. That assumption fails when operators recycle numbers and the new subscriber inherits the credential path. The implication is that recovery design, not just authentication strength, needs rethinking.
Mobile identity must be validated at the binding layer, not the messaging layer: checking only whether a code was delivered to a number does not establish that the current SIM or subscriber matches the original identity record. This is why number-based assurance is weaker than SIM-aware verification. Practitioners should re-evaluate whether their identity assurance model is tied to reachability or to verified subject continuity.
Ephemeral number trust debt: identity programmes accumulate risk when they keep old mobile numbers in recovery workflows after reassignment becomes possible. That debt appears as unexpected access, customer support escalations, and fraud exposure long after the original session ended. Teams should treat number recycling as an identity lifecycle event, not just a telecom housekeeping issue.
For IAM teams, this is a lifecycle governance problem as much as an authentication problem: enrolment, recovery, reassignment, and offboarding all need to reflect the fact that mobile numbers are reusable. Where lifecycle controls do not track reassignment, the trust chain breaks silently. The practitioner conclusion is to govern phone-number identity with the same lifecycle discipline used for other externally managed credentials.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Guide to the Secret Sprawl Challenge.
- For a broader lifecycle view, NHI Lifecycle Management Guide shows why enrolment, rotation, and offboarding need a single governance chain.
What this signals
Ephemeral number trust debt: mobile identity programmes need to assume that externally managed identifiers can change hands without warning. The practical signal is not just fraud prevention, but lifecycle discipline, because recycled numbers behave like expiring credentials that were never explicitly revoked. The relevant governance reference point is the NHI Lifecycle Management Guide, which is useful when a control boundary needs to follow the identity, not the channel.
With 97% of NHIs carrying excessive privileges in our research, the Ultimate Guide to NHIs reinforces the broader pattern: weak identity binding creates oversized blast radius. The same logic applies here, where a single recycled number can reach multiple accounts if recovery paths were never separated by risk tier.
For practitioners, the near-term signal is that phone-number-based assurance will keep losing credibility as an identity anchor. Organisations should prepare to replace number-only recovery with stronger binding checks, clearer lifecycle events, and explicit re-verification triggers whenever external ownership can change.
For practitioners
- Remove SMS OTP from high-risk recovery paths Keep SMS only where the blast radius is low and pair it with stronger factors for account recovery, banking, healthcare, and admin access.
- Bind mobile identity to SIM-aware verification Validate the current number together with SIM-linked attributes such as ICCID and IMSI before issuing or restoring access.
- Review all number-based recovery workflows Inventory every product that uses a phone number for login, reset, or step-up access, then remove any path that still assumes the number belongs to the original user.
- Add reassignment checks to customer and identity lifecycle processes Trigger re-verification whenever a number is reassigned, ported, or materially changed so the trust link does not survive ownership changes.
Key takeaways
- Recycled mobile numbers create identity continuity failures because the recovery path often follows the number instead of the original user.
- The scale is material, with tens of millions of recycled numbers and long reuse windows that can expose stale account links.
- Practitioners should move high-risk login and recovery flows away from SMS-only trust and toward SIM-aware, lifecycle-based verification.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | The article is about authentication strength and recovery assurance. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and authentication are central to this login risk. |
| NIST Zero Trust (SP 800-207) | 3.3 | Zero Trust depends on continuous verification, not stale contact-channel trust. |
| GDPR | Art.32 | The article discusses account access to user data and identity assurance. |
Apply appropriate security controls where recycled number exposure could lead to unauthorised personal data access.
Key terms
- Recycled Mobile Number: A recycled mobile number is a phone number that has been disconnected from one subscriber and reassigned to another. In identity systems, that reuse can break recovery flows and step-up authentication if the number is still treated as proof of account ownership.
- SIM Binding: SIM binding is the practice of linking a mobile number to the active SIM or subscriber context that currently controls it. It strengthens assurance by checking more than message delivery, which helps detect number reassignment and prevents stale recovery paths from surviving ownership changes.
- SMS OTP: SMS OTP is a one-time password delivered by text message to a mobile number. It is convenient but weak as an identity factor because it proves access to a number, not durable control of the original account holder or the device context behind that number.
- Account Recovery: Account recovery is the process used to restore access when a user forgets credentials or loses a factor. It becomes a security boundary when the recovery channel is trusted more than the original login, which is why weak channels such as recycled numbers can create takeover risk.
What's in the full article
IDlayr's full article covers the operational detail this post intentionally leaves for the source:
- The mechanics of MSISDN, ICCID, and IMSI binding for SIM-aware verification
- The practical differences between SMS OTP and deterministic mobile identity checks
- The customer-facing and fraud-control implications of recycled-number re-verification
- The article's own walkthrough of how mobile operators recycle numbers across markets
👉 IDlayr's full article covers SIM binding, SMS OTP weaknesses, and the account takeover chain
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org