Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Recycled mobile numbers: what IAM teams need to change now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Recycled mobile numbers can hand password resets, SMS OTP and linked services to the wrong person after reassignment, creating account takeover, fraud and privacy exposure; the article cites 35 million recycled numbers annually in the United States and a 259-number study where 215 remained vulnerable, according to IDlayr. SMS-based trust assumptions fail when the number is no longer proof of ownership, making SIM-linked verification the decisive control.

NHIMG editorial — based on content published by IDlayr: The huge issue with mobile-based identity and login, recycled numbers

By the numbers:

Questions worth separating out

Q: What breaks when a mobile number is recycled in account recovery flows?

A: Account recovery breaks when a recycled number becomes a new subscriber’s routing destination while systems still treat it as proof of ownership.

Q: Why do recycled mobile numbers create identity risk for IAM programmes?

A: They create identity risk because the lifecycle of the phone number is separate from the lifecycle of the account.

Q: How can organisations tell whether SMS OTP is too weak for their accounts?

A: If an account holds financial, health or administrative value, and SMS OTP is used for reset or step-up, the control is likely too weak on its own.

Practitioner guidance

  • Remove mobile number only recovery for high-risk accounts Use a stronger recovery path for banking, healthcare, admin and payment accounts where recycled numbers could expose sensitive data or funds.
  • Bind identity checks to SIM and number together Verify MSISDN, SIM identifiers and the asserted user identity before granting password reset or step-up access.
  • Add reassignment monitoring to account recovery governance Create controls that detect when a mobile number has been reassigned and block silent reuse in recovery flows.

What's in the full article

IDlayr's full article covers the operational detail this post intentionally leaves for the source:

  • Market-specific number recycling timelines and why reassignment windows vary by country.
  • The SIM-based verification model using MSISDN, ICCID and IMSI together.
  • Examples of the account takeover paths that follow recycled-number reuse across consumer services.
  • The practical argument for replacing number-only SMS OTP with stronger mobile identity binding.

👉 Read IDlayr's analysis of recycled mobile number risk and SIM-based verification →

Recycled mobile numbers: what IAM teams need to change now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Number ownership is not identity ownership: SMS recovery treats a reachable phone number as if it still proves subscriber continuity, but recycled numbering breaks that assumption. A number can move to a different person while downstream systems still use it as a recovery anchor. That means the control failure starts at enrolment, not at compromise detection, and practitioners should stop treating phone possession as durable proof.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.

A question worth separating out:

Q: Who is accountable when recycled numbers lead to account takeover?

A: Account owners, IAM teams and product teams are jointly accountable because the failure sits in recovery design and lifecycle governance. If a system keeps accepting a reassigned number after ownership has changed, the organisation has not revoked an obsolete trust path. That is a governance failure, not just a user error.

👉 Read our full editorial: Recycled mobile numbers expose account takeover risk



   
ReplyQuote
Share: