Passwordless - Recycling of phone numbers


For passwordless login using phone numbers, where phone numbers can be recycled, how does one prevent access to a recycled phone number? For example, assume I signed up at using my phone number and after 1 year, i cancelled my phone subscription resulting in the telecom company recycling my phoned number to a different person. That different person can now log into using my (previous) phone number and access my account details. How can this be prevented? Thanks.

The consumer should delete/change/update all his online accounts (not only the ones using Auth0) where he uses passwordless via SMS. There’s no way that Auth0 (or any other service) knows that a number has been recycled.

On your end, you could enforce MFA (other than SMS of course, such as TOTP). Or the consumer does it on its own, which is generally always a good option.

@mathiasconradt Thanks!

1 Like

Let us know @pradheepa if you have any other questions!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.