Passwordless - Recycling of phone numbers

pradheepa · September 18, 2019, 7:26am

Hi,

For passwordless login using phone numbers, where phone numbers can be recycled, how does one prevent access to a recycled phone number? For example, assume I signed up at www.abc.com using my phone number and after 1 year, i cancelled my phone subscription resulting in the telecom company recycling my phoned number to a different person. That different person can now log into www.abc.com using my (previous) phone number and access my account details. How can this be prevented? Thanks.

mathiasconradt · September 18, 2019, 8:13am

The consumer should delete/change/update all his online accounts (not only the ones using Auth0) where he uses passwordless via SMS. There’s no way that Auth0 (or any other service) knows that a number has been recycled.

On your end, you could enforce MFA (other than SMS of course, such as TOTP). Or the consumer does it on its own, which is generally always a good option.

pradheepa · September 18, 2019, 8:30am

@mathiasconradt Thanks!

konrad.sopala · September 18, 2019, 10:35am

Let us know @pradheepa if you have any other questions!

Topic		Replies	Views
Using SMS passwordless login on recycled mobile numbers Get Help login-experience , new-universal-login-experience	5	874	July 13, 2023
What happens when a user changes his phone number? (passwordless login) Get Help passwordless , passwordless-sms	2	5057	August 11, 2019
How to verify phone number without passwordless and MFA Get Help management-api , users	3	2479	July 20, 2023
Friend cannot log in to Auth0 management as SMS never arrives Get Help mfa , webauth-factor	2	60	July 18, 2025
Best practices Change MFA Ph# Get Help mfa , email-factor	4	1172	February 16, 2024

Passwordless - Recycling of phone numbers

Related topics