TL;DR: Mobile-number recycling can hand a new subscriber access to accounts tied to the previous owner when authentication depends on the number alone, according to IDlayr. SMS OTP and recovery flows that ignore SIM-level verification create account takeover risk, fraud exposure, and reputational damage.
At a glance
What this is: This is an analysis of how recycled mobile numbers can break account identity verification when systems trust the phone number without verifying the underlying SIM.
Why it matters: It matters because IAM, fraud, and digital identity teams that still rely on SMS OTP or number-based recovery can unintentionally authorize the wrong person and open access to sensitive accounts.
By the numbers:
- A study of 259 recycled numbers found that 215 were actually recycled and remained vulnerable to exploitation.
- In the United Kingdom, mobile providers typically recycle numbers within 70 to 180 days.
👉 Read IDlayr's analysis of recycled mobile numbers and identity risk
Context
Mobile number recycling is a mobile identity problem that becomes an access-control problem as soon as a phone number is treated as a credential. When the number is reused without securely binding it to the underlying SIM, password resets, SMS one-time passwords, and recovery flows can reach the wrong person.
That creates a governance gap for customer IAM and fraud teams alike. The article argues that the trust decision must move from the phone number alone to the number plus SIM identity, especially where mobile recovery is still used for social, banking, healthcare, and commerce accounts.
Key questions
Q: How should organisations handle account recovery when mobile numbers can be recycled?
A: Treat the phone number as a routing attribute, not as proof of ownership. For sensitive accounts, require additional verification such as device binding, operator-backed SIM checks, or stronger step-up factors before allowing recovery. If the number has been reassigned, the system should force re-verification rather than assuming continuity of identity.
Q: Why does SMS OTP become risky in mobile identity programmes?
A: SMS OTP becomes risky because message delivery follows the number, while identity should follow the verified subscriber. When a number is recycled, transferred, or hijacked through SIM swap, the OTP can reach the wrong person. That turns a convenience factor into a recovery path for account takeover.
Q: What do security teams get wrong about using phone numbers as identity factors?
A: They often confuse possession of a number with durable identity assurance. In reality, numbers change hands, move between SIMs, and get reassigned by operators. If the application does not re-check the number’s current SIM context, the factor can authorize a different person than the one originally verified.
Q: Who is accountable when recycled numbers lead to account takeover?
A: Accountability sits with the organisation that chose the recovery design, not with the mobile operator alone. If a service keeps trusting a number after reassignment, it has accepted an identity lifecycle failure. For regulated data or financial access, that design choice should be reviewed alongside fraud controls and customer assurance policy.
Technical breakdown
Why SMS OTP fails when mobile numbers are recycled
SMS one-time passwords assume that whoever receives the message is the legitimate account holder. That assumption breaks when a mobile operator reassigns an inactive number to a new subscriber, because the delivery path follows the number, not the original identity. The result is a weak recovery factor that can authorize the wrong user during password reset, second-factor verification, or account reactivation. In identity terms, SMS OTP is an addressable channel, not a proof of ongoing ownership. It becomes especially fragile when the same number is reused across multiple services and remains linked to older accounts.
Practical implication: treat SMS OTP as a weak recovery signal, not as a primary proof of account ownership.
SIM binding, MSISDN, ICCID, and IMSI
A safer mobile identity model checks more than the phone number. The MSISDN identifies the mobile number, the ICCID identifies the SIM card, and the IMSI identifies the subscriber identity assigned by the mobile operator. When these identifiers are checked together, the system can detect that a number has moved to a different SIM or a different subscriber context. That makes the trust decision conditional instead of assumed. The important design change is not removing mobile identity from the flow, but verifying the relationship between the number and the current SIM before sensitive access is granted.
Practical implication: bind mobile authentication to SIM and subscriber checks before accepting a number as an identity signal.
Why mobile identity needs real-time verification
If verification happens only at enrollment, the trust relationship can silently decay over time as numbers are recycled or SIMs change. Real-time verification closes that gap by checking the current state of the number with the operator at the moment of login or recovery. This is less about convenience and more about reducing stale trust. It also creates a clear decision point when the number no longer matches the previously verified identity, allowing the system to trigger step-up verification instead of granting access on outdated assumptions.
Practical implication: move mobile identity checks into runtime access decisions, not just initial onboarding.
Threat narrative
Attacker objective: The objective is to inherit and exploit accounts that still trust the recycled number as proof of identity.
- Entry occurs when a recycled mobile number is reassigned to a new subscriber who receives SMS-based recovery and OTP traffic intended for the previous owner.
- Escalation follows when the new number holder uses password reset or messaging takeover to access linked consumer accounts and other connected services.
- Impact is account takeover, fraudulent access, and reputational damage for the organisations that trusted the number as if it were a stable identity credential.
Breaches seen in the wild
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Mobile number trust is a brittle identity primitive when the number outlives the person who first registered it. The article shows that the authentication decision is anchored to a channel that mobile operators routinely recycle, which means the credential can be reassigned without the application layer noticing. For IAM teams, the lesson is that a phone number is a transport handle, not a durable identity anchor.
SMS OTP is a recovery mechanism, not an ownership proof. It assumes number possession equals account legitimacy, but recycled-number workflows destroy that assumption by design. That makes SMS-based recovery structurally vulnerable in customer identity programmes, especially where banking, social, and healthcare accounts depend on it. Practitioners should treat SMS OTP as a weak assurance layer under NIST SP 800-63 thinking, not a final trust decision.
SIM-level verification is the named concept this problem exposes: mobile identity must be bound to the current SIM context, not just the phone number. The article’s core contribution is the shift from static number verification to a living trust relationship that can detect reassignment. That aligns with OWASP Non-Human Identity Top 10 thinking about stale secrets and trust drift, even though the actor here is human identity. The practical conclusion is that identity assurance must follow the current control point, not the historical one.
Recycled-number risk is a lifecycle failure, not just an authentication weakness. The underlying gap is offboarding and re-binding: when a number is retired, the downstream accounts tied to it often are not revalidated. That is the same governance pattern seen in other identity domains when credentials outlive their original owner or purpose. Teams need to rethink recovery, revocation, and re-verification as one workflow.
Identity programmes that still depend on SMS for recovery are carrying avoidable trust debt. The more business-critical the account, the less acceptable it is to let number reuse decide access. This is a customer-identity governance issue with direct fraud and support implications, and it belongs in the same review cycle as MFA policy, account recovery design, and lifecycle controls.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after notification, which shows how slowly identity remediation often moves in practice.
- The lifecycle problem behind recycled-number trust is the same one covered in Ultimate Guide to NHIs, where offboarding and revocation gaps leave old access paths alive.
What this signals
Mobile identity teams should expect more pressure to move beyond SMS-based recovery as fraud pressure and customer assurance expectations rise. The governance issue is not the phone number itself, but the assumption that number possession is stable enough to anchor access decisions. Mobile identity trust debt: every account that still uses SMS as the final recovery gate accumulates risk the moment a number can be reassigned.
With NIST SP 800-63 Digital Identity Guidelines as the baseline for assurance thinking, practitioners should separate low-assurance convenience flows from high-assurance recovery paths. In practical terms, the question is not whether mobile identity is useful, but whether it is being trusted beyond the assurance level it can support.
The programme signal is clear: if a customer identity platform cannot detect SIM change or number reassignment in time, it cannot claim stable mobile identity assurance. That should trigger a review of fraud rules, recovery journeys, and any flow where a recycled number could still unlock value.
For practitioners
- Map every SMS-dependent recovery path Inventory where phone numbers are used for password reset, OTP delivery, and account reactivation. Prioritise regulated or high-value accounts first, because recycled numbers create the highest consequence when access is silently reassigned.
- Add SIM-binding checks to mobile identity flows Require the current SIM context, not just the number, before granting recovery or step-up access. Where operator validation is available, check MSISDN against SIM attributes so reassigned numbers trigger re-verification.
- Replace SMS as the final trust decision Use SMS only as one signal in a broader verification flow. For sensitive actions, require stronger factors or risk-based step-up when number ownership cannot be confirmed in real time.
- Revalidate dormant accounts tied to recycled numbers Run periodic reviews for accounts whose only recovery factor is a mobile number, then force reproof of ownership before those accounts are left to age into takeover risk.
Key takeaways
- Recycled mobile numbers can transfer access to the wrong person when systems trust the number without checking the underlying SIM.
- The scale is material: 35 million numbers are recycled each year in the United States, and a 259-number study found 215 remained vulnerable.
- Security teams should move SMS OTP out of the role of final identity proof and require stronger, SIM-aware verification for recovery and step-up access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | SMS OTP and recovery assurance are directly addressed by digital identity guidance. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are central to number-reuse risk. |
| NIST Zero Trust (SP 800-207) | Zero trust assumptions break when number possession is treated as identity. |
Review mobile recovery flows against PR.AC-1 and require stronger identity proofing for sensitive access.
Key terms
- Mobile Number Recycling: The reassignment of an inactive phone number from one subscriber to another by a mobile operator. In identity systems, this becomes a security issue when applications keep trusting the number after ownership changes, because the old recovery path can reach a new person.
- SMS One-Time Password: A short-lived code delivered by text message for login or recovery. It is convenient, but it only proves that a message reached a number, not that the current holder of that number is the original account owner, which makes it weak under reassignment and SIM swap conditions.
- SIM Binding: A verification approach that checks the current SIM context associated with a mobile number before granting access. It raises assurance by tying the number to an active subscriber identity, which helps detect reassigned numbers and reduces the chance of authorizing the wrong user.
- Account Recovery Assurance: The level of confidence an organisation has that a user requesting reset or reactivation is the legitimate account holder. Strong recovery assurance requires more than channel possession, because recovery is often the easiest place for attackers to exploit stale identity assumptions.
What's in the full article
IDlayr's full article covers the operational detail this post intentionally leaves for the source:
- How MSISDN, ICCID, and IMSI are used together in a live verification flow
- Why SMS OTP fails in recycled-number and SIM-swap scenarios
- What real-time mobile identity verification changes in account recovery design
- How teams can reduce fraud exposure without removing mobile numbers from identity workflows
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org