RSS

The Trouble with Reused Phone Numbers in CIAM

mooreds1 pts0 comments

The Trouble With Reused Phone Numbers in CIAM

CIAM Weekly

SubscribeSign in

The Trouble With Reused Phone Numbers in CIAM

Dan Moore<br>Jun 22, 2026

Share

Heya,<br>What do you do about legitimate account takeover. What happens when a phone number is owned by someone new because the previous owner no longer owns it?<br>CIAM systems that use phone numbers as identifiers face an account-takeover problem email doesn't have, for a couple of reasons.<br>For email, the namespace is large.

As far as I know personal email providers don’t reuse identifiers. I wasn’t able to find authoritative answers across all of these, but here’s an official Yahoo Mail FAQ, a Google support article about deleting Gmail from your account, and a forum post about Microsoft.

If your email belongs to your employer, it can be reused, but that login identifier belongs to the company, not to me. When I leave a company, they’re entirely within their rights to reuse that address.

Here’s the phone number scenario: I register for an application account using my phone number as the identifier. Five or ten years later, I deactivate that phone number and switch to a different one.<br>This could happen because:<br>You switch providers and the country doesn’t have phone number portability (most do).

You move states or countries and want a local phone number.

You want to switch your number for personal reasons.

When you deactivate your phone number, the released phone number goes back into the telco’s pool. Later it can be associated with somebody else.<br>If you’re running a popular enough service and depend on phone numbers as login identifiers, someone will try to sign up for the service using a phone number that was previously attached to another account.<br>Let’s take a deeper look at this scenario. To make it easier to follow, let’s say Alice had the number 303-555-1212 and signed up for a service. After a few years, Alice let the number go. Then Bob got the number, and signed up for the same service.<br>A service provider should decide what the policy is when Bob signs up. There are a few options:<br>treat this registration as if it was Alice coming in (assume Bob is Alice)

treat the registration as a brand new user based on external information (Know Bob is New)

try to figure out whether this is actually Alice or a new user (Figure Out If Bob is New)

Assume Bob Is Alice

If the service provider treats the registration as if it were Alice, Bob will be told “this account is already registered” and send down the account recovery flow, which is sent to 303-555-1212, the number that Alice registered but Bob now owns. Bob now has access to Alice’s information. Not great.<br>Know Bob is New

Another option is to recognize that the phone number has been deactivated and archive Alice’s account, so that when Bob signs in, they get an entirely new, clean account. Deactivation tracking is available in the USA because the FCC publishes a reassigned number database (but here’s Twilio’s free API).<br>Other countries don’t seem to have this, so you’re left with polling to see if a number is active periodically. If a number was active, then went inactive for weeks, then was active again, that’s a good signal it was reassigned. Not perfect, but a good heuristic. You could do this with a service like Twilio Lookup. Consider deeper research of countries you want to support.<br>If the service has a reliable deactivation signal, it can mark the old account as archived, lock it, and change the identifier. Instead of 303-555-1212, change it to be 303-555-1212-archived-2026-06-01 (if it was archived on June 1). The reason to include the date is that this process could happen more than once.<br>Figure Out If Bob is New

If there is no deactivation signal, add a step to the registration process when the login identifier collision occurs.<br>Ask Bob if they are Alice. The service can do this by asking Bob for his name, birthday, or about another detailed interaction with the service. Do this at registration or if the login has been dormant for a period of time (months or years).

Compare Bob’s answer with the details on Alice’s account.

Bob’s answers won’t match, so you can then archive Alice’s account and create a new one for Bob.

If Bob’s answers do match, then Bob is actually Alice and should proceed with account recovery. It’s then okay if Bob does an account reset and gets access to the old account.<br>This is not account takeover protection, where an attacker wants to get into Alice’s account. An attacker targeting Alice wouldn’t be relying on a phone number reassignment that takes years to happen. Possession of the number (via OTP) plus a dormancy window are real friction; the lighter knowledge-based questions are only determining if Bob and Alice are the same person, not authenticating Bob. This is why they are acceptable here in a way they wouldn’t be for a real authentication.<br>Summing Up

The first option allows for account takeover, however inadvertent, and is a bad idea. The second...

number account alice phone service numbers

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.