Old phone numbers in 2FA: the security gap nobody notices

Many SMB accounts are still tied to phone numbers belonging to former employees or a SIM you cancelled three years ago. Here's how to sort it out in an afternoon.

Two-factor authentication (2FA) is everywhere these days: at your bank, your accounting package, Microsoft 365, your e-commerce platform. Great. But there's a backdoor that stays wide open at many SMBs for years: the phone number you once registered as a backup or for SMS codes. And that number often no longer belongs to you — or no longer to the person it should.

Why this is a problem

A mobile number you cancel doesn't simply vanish. After a waiting period (typically 3 to 6 months with Dutch providers) it goes back into the pool and gets reassigned. The new owner then also receives your text messages — including login codes and password-reset links.

In practice, we regularly see these situations with SMB clients:

• The former bookkeeper's mobile number is still listed as the emergency contact in the accounting package.
• A company phone was handed in, the number went with the employee to their personal use, and that employee has since left.
• The director has a second mobile for personal use, once used it "just quickly" for a password-reset SMS, and has long since forgotten.
• The general reception mobile is listed everywhere as a backup, while the handset roams around the office.

The result: someone with the right timing and the right number can get in via "forgot my password" + SMS code. No hacking required.

The second problem: SMS is the weakest form of 2FA anyway

Aside from stale numbers, SMS-based 2FA is the least secure option in the first place. SIM swapping — where someone impersonates you at your provider and requests a new SIM — happens often enough in the Netherlands to take seriously. An app-based code (Microsoft Authenticator, Google Authenticator, 1Password) or a hardware key is always the better choice.

That said, SMS is still often the only option — at banks, some government services, and older portals. In those cases it's even more important that the number attached to your account genuinely belongs to the right person.

The clean-up: how to tackle it in an afternoon

1. Make a list of accounts that use 2FA

Not just Microsoft 365 or Google Workspace. Think also about:

• Accounting software (Exact, Moneybird, Twinfield)
• Bank portals and credit card environments
• Webshop / CMS (Shopify, WooCommerce, WordPress)
• Domain registrar and hosting provider
• Email marketing (Mailchimp, Spotler)
• Cloud storage (Dropbox, OneDrive, Google Drive)
• CRM and project management software
• Company social media accounts

A password manager will often give you a complete overview in a single click.

2. Log in and check the "security" section for each account

You're looking for three things:

• Which phone numbers are listed as a 2FA method or recovery option?
• Which email addresses are listed as a recovery option?
• Which backup codes have ever been generated — and do you still have them stored somewhere safe?

3. Remove anything you can't account for

Not sure about a number? Delete it. If it was important, you can add it again. A minor inconvenience is better than leaving an unknown line open.

4. Replace SMS with an authenticator app wherever possible

With almost all major services, you can disable the SMS method once an authenticator app or hardware key is active. Actually do this — otherwise SMS remains a fallback that undermines everything else.

5. Record who uses which method

A simple spreadsheet (or better yet, a note in your password manager) is all you need: for each account, note the owner, the 2FA method, and the number or email address used as a backup. When an employee leaves, pull up this list — just as you would when handing over a password vault.

What to do with every staff change

Make "reviewing 2FA numbers" a standard part of your offboarding checklist, alongside revoking access and transferring passwords. It takes five minutes when done routinely — and hours when you have to piece it together after an incident.

Tip: do this for internal role changes too. An employee moving from finance to marketing should no longer be a recovery contact for the bank portal.

The annual review

Once a year — during a summer tidy-up or in January, for example — block out half a day to go through all your 2FA settings. Combine it with your access check and your orphaned-accounts clean-up. That way you tackle three risks at once in a single session.

Need some help?

Struggling to work out which accounts exist, or unsure whether your 2FA setup is solid enough? We regularly help SMBs with exactly this through our 2FA implementation service and a broader access check. No lengthy projects — usually a few hours of work and you'll know exactly where you stand.