For passwordless login using phone numbers, where phone numbers can be recycled, how does one prevent access to a recycled phone number? For example, assume I signed up at www.abc.com using my phone number and after 1 year, i cancelled my phone subscription resulting in the telecom company recycling my phoned number to a different person. That different person can now log into www.abc.com using my (previous) phone number and access my account details. How can this be prevented? Thanks.
The consumer should delete/change/update all his online accounts (not only the ones using Auth0) where he uses passwordless via SMS. There’s no way that Auth0 (or any other service) knows that a number has been recycled.
On your end, you could enforce MFA (other than SMS of course, such as TOTP). Or the consumer does it on its own, which is generally always a good option.