TL;DR: Mobile-number recycling can hand a new subscriber access to accounts tied to the previous owner when authentication depends on the number alone, according to IDlayr. SMS OTP and recovery flows that ignore SIM-level verification create account takeover risk, fraud exposure, and reputational damage.
NHIMG editorial — based on content published by IDlayr: L'ENORME problema dell'identità e del login da mobile - Numeri riciclati
By the numbers:
- A study of 259 recycled numbers found that 215 were actually recycled and remained vulnerable to exploitation.
- In the United Kingdom, mobile providers typically recycle numbers within 70 to 180 days.
Questions worth separating out
Q: How should organisations handle account recovery when mobile numbers can be recycled?
A: Treat the phone number as a routing attribute, not as proof of ownership.
Q: Why does SMS OTP become risky in mobile identity programmes?
A: SMS OTP becomes risky because message delivery follows the number, while identity should follow the verified subscriber.
Q: What do security teams get wrong about using phone numbers as identity factors?
A: They often confuse possession of a number with durable identity assurance.
Practitioner guidance
- Map every SMS-dependent recovery path Inventory where phone numbers are used for password reset, OTP delivery, and account reactivation.
- Add SIM-binding checks to mobile identity flows Require the current SIM context, not just the number, before granting recovery or step-up access.
- Replace SMS as the final trust decision Use SMS only as one signal in a broader verification flow.
What's in the full article
IDlayr's full article covers the operational detail this post intentionally leaves for the source:
- How MSISDN, ICCID, and IMSI are used together in a live verification flow
- Why SMS OTP fails in recycled-number and SIM-swap scenarios
- What real-time mobile identity verification changes in account recovery design
- How teams can reduce fraud exposure without removing mobile numbers from identity workflows
👉 Read IDlayr's analysis of recycled mobile numbers and identity risk →
Mobile number recycling: are SMS OTP controls keeping up?
Explore further
Mobile number trust is a brittle identity primitive when the number outlives the person who first registered it. The article shows that the authentication decision is anchored to a channel that mobile operators routinely recycle, which means the credential can be reassigned without the application layer noticing. For IAM teams, the lesson is that a phone number is a transport handle, not a durable identity anchor.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after notification, which shows how slowly identity remediation often moves in practice.
A question worth separating out:
Q: Who is accountable when recycled numbers lead to account takeover?
A: Accountability sits with the organisation that chose the recovery design, not with the mobile operator alone. If a service keeps trusting a number after reassignment, it has accepted an identity lifecycle failure. For regulated data or financial access, that design choice should be reviewed alongside fraud controls and customer assurance policy.
👉 Read our full editorial: Mobile number recycling exposes a fragile identity trust model