Home > News

2FA and Recycled Phone Numbers Are a Security Risk

By Laura Tucker
2fa Security Risk Featured

Two-factor authorization is supposed to lead to increased security. That extra step is supposed to prevent spammers from breaking into your account. By just learning one access point, they are still required to take an extra step that they most likely do not know. However, researchers have learned that 2FA can lead to a security risk with recycled phone numbers.

Recycled Phone Numbers Expose 2FA Accounts

Whether it’s because they relocate or switch cell carriers, people change their phone numbers from time to time. But there isn’t an unlimited supply of unused phone numbers. Because of this, discarded phone numbers are often recycled. You may have discovered this when you picked up a new number and are bothered by a rash of calls for the person who was previously connected to that number.

You may be bothered by more than that. If the number was previously attached to 2FA, the information from the accounts is subject to a security risk. Now instead of needing the two factors for access, all that is needed is the phone number.

2fa Security Risk Login

Princeton University researchers discovered the security risk associated with 2FA and recycled phone numbers. Out of more than 250 phone numbers the researchers sampled, 17 were connected to accounts at popular websites. Those numbers that were sampled were available to two major carriers.

“Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the Web, which could enable account hijackings that defeat SMS-based multi-factor authentication,” detailed the researchers in their study.

“We also found design weaknesses in carriers’ online interfaces and number recycling policies that could facilitate attacks involving number recycling.”

2fa Security Risk Locked

The new owners of the phone numbers are subjected to security and privacy-related calls and messages, including such things as authentication passcodes. The Princeton researchers believe the new owners could become incentivized to exploit the accounts these new numbers are connected to.

Limiting the Security Risk

What can you do when you are changing your phone number to limit the security risk of your accounts that were at one point connected to 2FA? Tracking down all those accounts protected by 2FA would be a nightmare.

The Princeton researchers believe you should “park” your old number when you’re switching to a new one. You can do this with a parking service, a mobile virtual network operator (MVNO), or a VOIP provider. This could give you the time you need to update your 2FA settings on your old accounts.

Do know that regardless of this concern, 2FA is still an important security method. Read on to learn how to set up 2FA on various social networks other than Twitter, which no longer needs phone numbers for 2FA.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Laura Tucker Avatar
Laura Tucker
Laura has spent more than 20 years writing news, reviews, and op-eds, with the majority of those years as an editor as well. She has exclusively used Apple products for the past 35 years. In addition to writing and editing at MTE, she also runs the site’s sponsored review program.

Read next

In 2016, archaeologists dated two rings of snapped stalagmites in France’s Bruniquel Cave to 176,500 years ago, evidence that Neanderthals had walked 336 metres into darkness with fire and built architecture deep underground long before modern humans reached Europe
Otto von Bismarck was 74 when Germany adopted the world’s first national old-age social insurance program in 1889, setting the pension age at 70 after years of fighting socialists with bans, laws, and a promise few workers would live long enough to use
When cosmonaut Valeri Polyakov stepped out of his Soyuz capsule in March 1995 after 437 consecutive days aboard Mir, doctors recorded him at several centimetres above his pre-flight height, and his spine had become so unaccustomed to gravity that the recovery team carried him to a chair rather than risk the compression of letting him walk.
When Bell Labs engineer Karl Jansky pointed a rotating antenna at the sky in 1932 looking for sources of transatlantic radio static, he kept picking up a faint hiss that peaked every 23 hours and 56 minutes, and he eventually realized he had become the first human to hear the center of the Milky Way.
A contemplative scene with two scientists in a vintage laboratory setting.
When Harvard astronomer Cecilia Payne submitted her 1925 doctoral thesis arguing that the Sun was made almost entirely of hydrogen, the field’s senior figure Henry Norris Russell talked her into adding a line calling the result ‘almost certainly not real,’ and then published the same conclusion himself four years later to widespread acclaim.
When seismic waves from the Chicxulub impact reached what is now North Dakota roughly ten minutes after the asteroid struck, they appear to have triggered a ten-metre standing wave in an inland river that flung fish onto the bank and buried them under glass beads still falling from the sky.
When survivors near Lake Nyos woke on the morning of 22 August 1986, the cattle were dead in the fields, the birds had fallen out of the trees, and 1,746 of their neighbours were lying where they had stood the night before, with no fire, no flood, and no wound to explain it.
In October 2002, a Russian scientist named Dimitri Malashenkov stood up at a space conference in Houston and quietly explained that the dog Laika, whom the Soviet Union had publicly mourned as a heroic week-long orbiter in 1957, had actually died of heat and panic within about five hours of launch.