Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Mobile number recycling: are SMS OTP controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Mobile-number recycling can hand a new subscriber access to accounts tied to the previous owner when authentication depends on the number alone, according to IDlayr. SMS OTP and recovery flows that ignore SIM-level verification create account takeover risk, fraud exposure, and reputational damage.

NHIMG editorial — based on content published by IDlayr: L'ENORME problema dell'identità e del login da mobile - Numeri riciclati

By the numbers:

Questions worth separating out

Q: How should organisations handle account recovery when mobile numbers can be recycled?

A: Treat the phone number as a routing attribute, not as proof of ownership.

Q: Why does SMS OTP become risky in mobile identity programmes?

A: SMS OTP becomes risky because message delivery follows the number, while identity should follow the verified subscriber.

Q: What do security teams get wrong about using phone numbers as identity factors?

A: They often confuse possession of a number with durable identity assurance.

Practitioner guidance

  • Map every SMS-dependent recovery path Inventory where phone numbers are used for password reset, OTP delivery, and account reactivation.
  • Add SIM-binding checks to mobile identity flows Require the current SIM context, not just the number, before granting recovery or step-up access.
  • Replace SMS as the final trust decision Use SMS only as one signal in a broader verification flow.

What's in the full article

IDlayr's full article covers the operational detail this post intentionally leaves for the source:

  • How MSISDN, ICCID, and IMSI are used together in a live verification flow
  • Why SMS OTP fails in recycled-number and SIM-swap scenarios
  • What real-time mobile identity verification changes in account recovery design
  • How teams can reduce fraud exposure without removing mobile numbers from identity workflows

👉 Read IDlayr's analysis of recycled mobile numbers and identity risk →

Mobile number recycling: are SMS OTP controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Mobile number trust is a brittle identity primitive when the number outlives the person who first registered it. The article shows that the authentication decision is anchored to a channel that mobile operators routinely recycle, which means the credential can be reassigned without the application layer noticing. For IAM teams, the lesson is that a phone number is a transport handle, not a durable identity anchor.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after notification, which shows how slowly identity remediation often moves in practice.

A question worth separating out:

Q: Who is accountable when recycled numbers lead to account takeover?

A: Accountability sits with the organisation that chose the recovery design, not with the mobile operator alone. If a service keeps trusting a number after reassignment, it has accepted an identity lifecycle failure. For regulated data or financial access, that design choice should be reviewed alongside fraud controls and customer assurance policy.

👉 Read our full editorial: Mobile number recycling exposes a fragile identity trust model



   
ReplyQuote
Share: