By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: IDlayrPublished November 3, 2025

TL;DR: Recycled mobile numbers can hand password resets, SMS OTP and linked services to the wrong person after reassignment, creating account takeover, fraud and privacy exposure; the article cites 35 million recycled numbers annually in the United States and a 259-number study where 215 remained vulnerable, according to IDlayr. SMS-based trust assumptions fail when the number is no longer proof of ownership, making SIM-linked verification the decisive control.


At a glance

What this is: The article argues that recycled mobile numbers create a practical account takeover risk because SMS-based login treats a phone number as proof of ownership even after reassignment.

Why it matters: That matters to IAM teams because mobile number recovery, SMS OTP and account reset flows can become a weak identity assurance layer when the number is reused by a new subscriber.

By the numbers:

👉 Read IDlayr's analysis of recycled mobile number risk and SIM-based verification


Context

Mobile numbers are often treated as convenient identity credentials, but the security model behind that assumption is weaker than many IAM programmes recognise. Reassignment by mobile network operators means the number can outlive the original subscriber, so a later owner may inherit password reset paths and SMS-based verification flows.

The primary issue is not mobile connectivity itself. It is the mismatch between a reusable number and the belief that possession of that number still proves account ownership, which is why recycled number risk belongs in identity governance, not just fraud monitoring.


Key questions

Q: What breaks when a mobile number is recycled in account recovery flows?

A: Account recovery breaks when a recycled number becomes a new subscriber’s routing destination while systems still treat it as proof of ownership. Password resets, SMS OTP and linked-service notifications can reach the wrong person, enabling account takeover and fraud. The control failure is the assumption that possession of the number still equals entitlement to the account.

Q: Why do recycled mobile numbers create identity risk for IAM programmes?

A: They create identity risk because the lifecycle of the phone number is separate from the lifecycle of the account. If a number is reassigned, the old trust relationship survives in systems that still rely on it for recovery or step-up. IAM teams need to treat number reuse as a trust revocation event, not as routine contact maintenance.

Q: How can organisations tell whether SMS OTP is too weak for their accounts?

A: If an account holds financial, health or administrative value, and SMS OTP is used for reset or step-up, the control is likely too weak on its own. The signal is any recovery process that depends only on the phone number and not on a stronger binding to SIM, device or verified identity.

Q: Who is accountable when recycled numbers lead to account takeover?

A: Account owners, IAM teams and product teams are jointly accountable because the failure sits in recovery design and lifecycle governance. If a system keeps accepting a reassigned number after ownership has changed, the organisation has not revoked an obsolete trust path. That is a governance failure, not just a user error.


Technical breakdown

Why recycled numbers break SMS-based identity assurance

SMS OTP relies on the phone number as a routing destination, not as a verified proof of possession. When the number is recycled, messages for resets, one-time codes and linked services can reach a different subscriber. The control failure is structural: the verifier checks that the message arrived, not that the current recipient is the same identity that originally enrolled the account.

Practical implication: treat SMS OTP as a low-assurance factor for recovery and step-up flows where number reassignment is plausible.

Why SIM linkage changes the trust model

SIM-based authentication ties the mobile number to the SIM identity, such as ICCID and IMSI, so the system can verify whether the number is still bound to the expected device subscription. That creates a live trust relationship instead of a static one. If the number has been recycled or moved to a new SIM, the mismatch can trigger re-verification before access is granted.

Practical implication: bind number, SIM and identity together before using mobile data as an access signal.

How recycled-number fraud chains into broader account compromise

Once an attacker or unintended new owner receives resets or codes, the initial compromise often extends beyond one account. Messaging apps, bank portals, digital wallets and e-commerce profiles may all share the same mobile recovery path. The risk is not isolated account loss but credential chaining across multiple services that trust the same number as a recovery anchor.

Practical implication: inventory all services that use mobile recovery paths and remove number-only recovery where linked financial or personal data is exposed.


Threat narrative

Attacker objective: The objective is to gain unauthorized access to one or more accounts by inheriting a reused mobile number and exploiting SMS-based recovery flows.

  1. Entry occurs when a disconnected mobile number is reassigned to a new subscriber who then receives SMS-based resets or verification codes intended for the previous owner.
  2. Escalation follows when the new holder uses those codes to enter the original account and then pivots into additional linked services that share the same recovery number.
  3. Impact is account takeover, fraud and privacy exposure across social, banking, messaging and e-commerce services that still trust the recycled number.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Number ownership is not identity ownership: SMS recovery treats a reachable phone number as if it still proves subscriber continuity, but recycled numbering breaks that assumption. A number can move to a different person while downstream systems still use it as a recovery anchor. That means the control failure starts at enrolment, not at compromise detection, and practitioners should stop treating phone possession as durable proof.

Recycled-number risk is an identity lifecycle problem, not a narrow fraud edge case: number reassignment is a lifecycle event that invalidates prior trust relationships. The same offboarding logic that applies to service accounts should apply to mobile number recovery paths, because the previous owner’s access should not survive reassignment. For IAM and IGA teams, this is a governance boundary issue, not just a technical verification issue.

SMS OTP remains brittle because it authenticates a route, not a rightful owner: the mechanism proves message delivery, not current entitlement to the account. That makes it weak where recovery and step-up decisions carry real impact, especially in banking, healthcare and consumer platforms. The implication is that teams must reclassify SMS OTP as a legacy assurance pattern rather than a trustworthy recovery control.

Mobile identity needs a live binding concept, not a static contact record: the useful concept here is live trust linkage between MSISDN, SIM and verified identity. Once that linkage breaks, the old account relationship should be considered invalid. Practitioners should design mobile identity governance around re-verification triggers, not around the assumption that a number remains anchored to one person indefinitely.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
  • If you want the governance baseline behind these identity failures, start with NHI Lifecycle Management Guide and then map recovery-path controls back to account ownership.

What this signals

Recycled-number governance is really recovery-path governance: the operational question is not whether mobile numbers can be reused, but whether your programme can recognise when a previously trusted recovery path is no longer valid. That makes identity lifecycle controls, not just fraud analytics, the right place to absorb this risk.

The practical next step is to map every mobile-dependent recovery path against account criticality, then decide where SMS can remain as a contact channel rather than an authenticator. Teams that still rely on number possession alone should expect silent trust drift as carriers recycle assignments.

For broader NHI and identity hygiene, the pattern mirrors other reusable credential problems covered in the Ultimate Guide to NHIs , Static vs Dynamic Secrets: static trust relationships age badly when ownership changes underneath them. The same lesson now applies to mobile identity recovery.


For practitioners

  • Remove mobile number only recovery for high-risk accounts Use a stronger recovery path for banking, healthcare, admin and payment accounts where recycled numbers could expose sensitive data or funds. Keep the number as a contact method, not as the sole proof of ownership.
  • Bind identity checks to SIM and number together Verify MSISDN, SIM identifiers and the asserted user identity before granting password reset or step-up access. If the binding no longer matches, require re-verification before any recovery action proceeds.
  • Add reassignment monitoring to account recovery governance Create controls that detect when a mobile number has been reassigned and block silent reuse in recovery flows. Where available, integrate carrier or network verification into the step that decides whether a number still belongs to the enrolled user.
  • Review all services that trust SMS OTP for step-up Map every application that uses SMS OTP for reset, login or transaction approval. Replace number-based trust in the services with the highest fraud and privacy impact first, then phase out the rest through access governance and lifecycle change management.

Key takeaways

  • Recycled mobile numbers can convert a legitimate recovery flow into an account takeover path when systems still trust the old subscriber relationship.
  • The problem is structural, with reassigned numbers, SMS OTP and number-only recovery combining to create fraud, privacy loss and reputational damage.
  • Teams should treat number reassignment as a trust revocation event and move high-risk recovery flows to stronger identity binding.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Recycled-number trust breaks recovery and authenticator handling in NHI-like identity flows.
NIST CSF 2.0PR.AC-1Identity proofing and access control are directly implicated by recycled-number recovery flows.
NIST SP 800-53 Rev 5IA-5Authenticator management governs SMS OTP and replacement recovery factors.
NIST Zero Trust (SP 800-207)Zero trust requires continuous verification rather than stale phone-number assumptions.
NIST SP 800-63SP 800-63BAuthenticator assurance is central when SMS OTP is used as a recovery factor.

Treat number reuse as a lifecycle revocation event and stop using number-only recovery for high-risk access.


Key terms

  • Recycled Mobile Number: A recycled mobile number is a phone number that has been disconnected from one subscriber and reassigned to another. In identity systems, reuse becomes a security problem when the old number still functions as a recovery or authentication signal for accounts tied to the previous owner.
  • SMS OTP: SMS OTP is a one-time password delivered by text message for login, reset or step-up verification. It is convenient, but it only proves that a message reached the current holder of the number, which is weaker than proving the account owner’s identity or device binding.
  • SIM-Based Authentication: SIM-based authentication verifies the mobile identity relationship using the SIM and the number together, rather than relying on the number alone. That lets a platform detect when a number has been reassigned or moved and trigger re-verification before allowing access.
  • Recovery Path Governance: Recovery path governance is the control of how accounts are restored, reset or reclaimed when primary credentials are lost. In mobile identity, it means treating phone numbers, SMS and carrier bindings as lifecycle-managed trust paths that must be revoked when ownership changes.

What's in the full article

IDlayr's full article covers the operational detail this post intentionally leaves for the source:

  • Market-specific number recycling timelines and why reassignment windows vary by country.
  • The SIM-based verification model using MSISDN, ICCID and IMSI together.
  • Examples of the account takeover paths that follow recycled-number reuse across consumer services.
  • The practical argument for replacing number-only SMS OTP with stronger mobile identity binding.

👉 IDlayr's full article explains how recycled numbers, SMS OTP and SIM binding interact in practice.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org