Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What breaks when a mobile number is recycled…
Governance, Ownership & Risk

What breaks when a mobile number is recycled in account recovery flows?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Account recovery breaks when a recycled number becomes a new subscriber’s routing destination while systems still treat it as proof of ownership. Password resets, SMS OTP and linked-service notifications can reach the wrong person, enabling account takeover and fraud. The control failure is the assumption that possession of the number still equals entitlement to the account.

Why This Matters for Security Teams

Recycled mobile numbers are a recovery control failure, not just an inconvenience. Many account systems still treat SMS delivery as proof that the requester owns the account, even though telecom reassignment can move that number to a different subscriber. That makes reset links, one-time passcodes, and alerts unreliable signals for entitlement.

This is especially dangerous in environments that rely on phone-based recovery as the fallback for email, MFA, or delegated support. As Top 10 NHI Issues shows, identity assumptions break quickly when lifecycle states are not governed tightly, and the same logic applies here: the possession signal is no longer stable once the number is recycled. Industry guidance increasingly treats SMS as a weak recovery factor, while OWASP Non-Human Identity Top 10 reinforces the broader lesson that credentials and recovery paths must be validated as current, not merely present.

In practice, many security teams discover this only after a takeover attempt succeeds through an old phone number, rather than through intentional review of recovery design.

How It Works in Practice

Mobile number recycling creates a timing gap between telecom reassignment and application-level trust. A subscriber may surrender a number, the carrier later reissues it, and the original account recovery flow still accepts that number as an authentic channel. When a system sends an SMS OTP, password reset, or “verify your account” message, it may be reaching a stranger who now controls the line.

The practical failure is not just message delivery. Many recovery workflows also use the number as a signal for step-up authentication, helpdesk validation, or notification routing. Once that signal becomes stale, the attacker does not need to break the password directly. They can use the recycled number to intercept recovery, then pivot into email changes, MFA resets, or linked service abuse. This is why NHI Management Group emphasizes lifecycle discipline in the NHI Lifecycle Management Guide and why the Ultimate Guide to NHIs ties access safety to continuous validation and revocation.

  • Use mobile numbers only as a secondary signal, not as sole proof of account ownership.
  • Prefer stronger recovery factors such as authenticated email, recovery codes, FIDO-based methods, or verified in-app sessions.
  • Re-verify phone ownership when a number is added, changed, or used after long inactivity.
  • Shorten the validity window for recovery links and codes, and revoke them after use.
  • Flag high-risk events such as carrier changes, SIM swaps, and unusual recovery attempts for manual review.

Current guidance suggests treating phone-based recovery as a risk-bearing convenience feature, not a durable identity primitive. These controls tend to break down in consumer telecom environments with weak number-status signals and in enterprises that lack real-time telecom or account-lifecycle checks because the application cannot tell reassigned numbers from still-owned numbers.

Common Variations and Edge Cases

Tighter recovery controls often increase friction, requiring organisations to balance user convenience against takeover risk. That tradeoff becomes visible in customer support flows, where users who lost a device or changed carriers may need a slower reset path.

There is no universal standard for this yet, but best practice is evolving toward risk-based recovery rather than blanket SMS trust. Some systems will continue to use phone numbers for low-risk notification, while reserving them only as one factor among several for account recovery. Others will suppress SMS entirely for privileged or financially sensitive accounts. The key is to make the recovery path proportional to the account impact, not uniform across all users.

Edge cases matter. Shared family plans, prepaid numbers, VoIP numbers, and dormant accounts can all complicate trust in a phone number. The risk also rises when recovery flows lack recent-login checks, device binding, or human review for unusual changes. For broader lifecycle and secret-handling lessons, the Guide to the Secret Sprawl Challenge and Guide to NHI Rotation Challenges both show how stale trust creates avoidable exposure.

Organisations should align recovery policy with NIST Cybersecurity Framework 2.0 and the control discipline in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where account recovery touches high-value identities or regulated systems.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Phone-based recovery fails when identity signals are stale or misbound.
NIST CSF 2.0PR.AARecovery flows are authentication and assurance controls that need review.
NIST SP 800-63IAL/AALRecycled numbers undermine authentication assurance and verifier binding.
NIST SP 800-53 Rev 5IA-2Identity proofing and authenticator use are directly implicated in recovery.
NIST Zero Trust (SP 800-207)PE/PR.ACZero Trust requires current, contextual trust rather than static phone ownership.

Inventory recovery dependencies and remove phone-number trust where lifecycle validation is weak.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org