They confuse reachability with ownership. A recycled or reassigned number may still receive SMS and pass basic checks, but it no longer proves the current user is the original owner. That creates a blind spot in account opening, recovery, and step-up authentication, where fraudsters exploit borrowed trust to gain access.
Why This Matters for Security Teams
Phone numbers are often treated as a convenient identity signal because they are easy to collect, easy to verify, and easy to reuse across workflows. The problem is that SMS reachability does not equal enduring ownership. Numbers can be recycled, ported, or transferred, and those changes can silently invalidate the assumption behind account recovery, enrollment, and step-up authentication. That matters most where identity assurance is meant to reduce fraud, not simply confirm contactability.
This is not just an account security issue. It affects fraud controls, help desk procedures, customer onboarding, and any process that uses a phone number as a proxy for trust. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls makes clear that identity and authenticator management need explicit control design, not assumptions about the stability of a single factor. Current guidance suggests treating phone numbers as a communications channel, not a durable proof of identity.
In practice, many security teams only discover this weakness after a SIM swap, number recycling event, or recovery abuse has already been used to take over an account.
How It Works in Practice
Operationally, the failure starts when a system treats a phone number as both identifier and authenticator. A user signs up with a number, receives an OTP by SMS, and later uses that same number for password reset or step-up verification. If the number changes hands, the new holder may still receive messages and satisfy the control even though the underlying identity has changed. That creates a trust gap between the system’s records and the real-world subscriber relationship.
Security teams should separate three functions: contactability, recovery, and assurance. Contactability is useful for notifications. Recovery is a higher-risk path that should require stronger evidence than a phone number alone. Assurance should be based on a combination of factors that are less likely to be reassigned or intercepted, such as phishing-resistant authenticators, verified device binding, or in-person or document-based checks where appropriate. NIST SP 800-63 Digital Identity Guidelines is the right reference point when deciding how much confidence a given authenticator should carry in a specific flow.
- Use phone numbers for communication, not as the primary proof of account ownership.
- Require stronger verification for recovery than for routine login.
- Re-verify riskier accounts when a number changes or is ported.
- Log and review recovery events as fraud signals, not just support outcomes.
- Prefer phishing-resistant authenticators for high-value accounts.
For broader identity governance, this also intersects with account lifecycle controls, because a stale phone number can persist long after the person who originally registered it has left the relationship. Where fraud teams and IAM teams do not share signals, one side often assumes the other has already validated the identity. Controls mapped to NIST SP 800-63 Digital Identity Guidelines and identity assurance workflows help close that gap. These controls tend to break down in high-volume consumer environments because recovery is optimised for speed and support cost, not for evidence quality.
Common Variations and Edge Cases
Tighter identity assurance often increases friction, support cost, and abandonment, so organisations have to balance fraud reduction against user experience. There is no universal standard for replacing phone-based trust in every journey yet, but current guidance suggests using it only where the risk is genuinely low.
The edge cases matter. Prepaid numbers, shared family plans, enterprise-issued devices, and cross-border roaming can all weaken the meaning of a phone-based signal. Porting fraud and number recycling are especially dangerous in recovery flows because they can look operationally normal while still transferring access to an attacker. In regulated environments, this is also a governance issue: security teams need to know when a phone number is being treated as an identifier, when it is just a contact method, and when it should trigger step-up verification.
Where identity proofing is stronger, phone numbers can still have a supporting role, but they should be paired with other controls and monitored for change events. Where they are the only factor, the system is effectively asking a mutable telecom record to do the work of an identity proof.
For organisational control design, NIST CSF and identity assurance guidance are more reliable anchors than local assumptions about SMS reliability, while phishing-resistant authenticators and recovery hardening should be prioritised for higher-value accounts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | 3.1.2 | Identity proofing and authenticator guidance addresses weak reliance on phone numbers. |
| NIST CSF 2.0 | PR.AA-01 | Identity and access assurance must reflect changing subscriber and account risk. |
Use stronger authenticators and risk-based recovery instead of treating SMS as ownership proof.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org