Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who is accountable when recycled numbers lead to…
Governance, Ownership & Risk

Who is accountable when recycled numbers lead to account takeover?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Account owners, IAM teams and product teams are jointly accountable because the failure sits in recovery design and lifecycle governance. If a system keeps accepting a reassigned number after ownership has changed, the organisation has not revoked an obsolete trust path. That is a governance failure, not just a user error.

Why This Matters for Security Teams

Recycled numbers are not just a telephony problem. They become an identity recovery failure when SMS, voice, or callback flows continue to treat a reassigned number as proof of control. That puts account owners, IAM teams, and product teams in the same accountability chain because the risk sits in lifecycle governance, not just the end user’s caution. OWASP’s Non-Human Identity Top 10 is a useful reminder that weak trust paths are frequently embedded in recovery design, not only in primary authentication.

NHI Management Group research shows how often weak lifecycle controls persist: only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. The same governance gap appears when a phone number is reassigned but still functions as an account recovery factor, creating a stale trust edge. The issue is not whether a user once owned the number, but whether the system keeps honouring obsolete evidence of ownership. In practice, many security teams encounter takeover only after the number has been recycled and the recovery path has already been abused.

How It Works in Practice

account takeover via recycled numbers usually follows a predictable sequence: a customer changes carriers, the previous number is reassigned, and a new holder receives reset codes or voice callbacks that still map to the old account. If recovery relies on SMS alone, the attacker does not need to defeat the primary password. They only need to exploit a trust path that was never revoked. That is why lifecycle controls matter as much as authentication controls.

Security teams should treat phone numbers like any other mutable identity attribute. Current guidance suggests reducing their role to a low-assurance signal and layering stronger controls for recovery. A better design uses risk-based checks, step-up verification, and out-of-band confirmation tied to a durable identity anchor such as a verified device, passkey, or customer support workflow. NIST’s SP 800-53 Rev. 5 supports this approach through access control, identification, authentication, and audit requirements, while the OWASP guidance above highlights why recovery paths deserve the same scrutiny as login paths.

  • Revoke phone-based recovery when number ownership changes or verification ages out.
  • Use short-lived recovery tokens instead of broad SMS reset trust.
  • Log and alert on repeated recovery attempts from newly reassigned numbers.
  • Require stronger proof for high-risk actions, especially when account email or device also changed.

For lifecycle discipline, NHI Management Group’s NHI Lifecycle Management Guide and Top 10 NHI Issues both reinforce the same operational point: trust must expire when the underlying asset changes. These controls tend to break down when carriers reassign numbers quickly and the application still treats stale recovery factors as authoritative.

Common Variations and Edge Cases

Tighter recovery controls often increase support friction, requiring organisations to balance account security against customer experience and fraud review volume. That tradeoff is real, especially in consumer apps where password resets are frequent and support teams are already overloaded. There is no universal standard for this yet, but best practice is evolving toward risk-tiered recovery rather than one-size-fits-all SMS reset.

Edge cases matter. Prepaid numbers can be reassigned faster than enterprise IT expects. Family-shared numbers may never have been a reliable ownership signal in the first place. Ported numbers can also remain linked to legacy accounts longer than the business assumes. In these environments, the safer approach is to treat the phone number as a weak, mutable attribute and not a durable identity proof. When recovery risk is high, organisations should prefer device-bound credentials, passkeys, verified support interaction, or step-up checks that do not depend on telecom ownership.

NHI Management Group’s Ultimate Guide to NHIs also frames the broader lesson: static trust does not survive lifecycle change. Once a number is recycled, the old assurance is gone, and any system still accepting it has kept a stale trust path alive.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-05Recovery trust paths tied to stale identities fit NHI lifecycle and revocation gaps.
NIST CSF 2.0PR.AA-01Account recovery depends on proving identity with current, reliable authentication evidence.
NIST AI RMFGovernance is needed to manage recovery risk and accountability across the account lifecycle.
NIST Zero Trust (SP 800-207)Zero trust rejects static trust in mutable attributes like recycled phone numbers.

Replace weak recovery factors with stronger identity proof and monitor for stale credentials.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org