But try not to change your phone number.
I know this sounds somewhat convoluted, but bear with me. It may be the number one way people permanently lose access to their online accounts.
I harp on keeping your recovery information up to date, but there’s one scenario that keeps your recovery information up to date automatically.
It’s what happens when you get a new phone.
Become a Patron of Ask Leo! and go ad-free!
Changing your phone number
Keeping your phone number when changing phones or providers prevents you from losing access to online accounts due to outdated recovery information. If you do change numbers, it’s crucial to update all accounts to avoid permanent lockout or unauthorized access by someone who might inherit your old number.
A new number is not required
In many if not most cases, when you get a new mobile phone you do not need to get a new mobile phone number.
I’ve had the same phone number for well over two decades across perhaps a dozen different devices. Each time I replace my phone, the old phone number is reassigned to the new device. When that happens, nothing needs to change. I have the same phone number, I continue to be able to receive text messages at that number, and any place I’ve used that phone number as account recovery information remains correct.
In the US, at least, it’s called number portability. You can keep the number when you get a new phone and even when you change mobile providers.
Sometimes, people don’t realize that it’s possible to keep their number, their carrier (presumably outside of the United States) doesn’t offer the service, or they actually want to change their phone number.1 For whatever reason, they end up with a new phone number.
OK, you have a new number, now what?
Your next step is critical for more reasons than you might expect.
You must visit every online site or service where you’ve used your old number and update it with your new one. Do so as quickly as possible, prioritizing your email, banking, and other important accounts.
If that sounds daunting, it’s because it is. It can be quite time-consuming.
On top of that, while we remember the important accounts we use regularly, it’s difficult to remember all the accounts where you’ve entered your mobile number.
Let’s look at the reasons why doing so is important.
The risks of change: #1
The reason this is such a big deal is that people lose access to online accounts — permanently — all the time because their phone number changes.
Here’s the sequence of events.
- They open an account at an online provider.
- They specify their mobile number for security and account recovery.2
- Time passes.
- Their phone number changes, either intentionally or as a side effect of getting new phone or new mobile carrier.
- Time passes.
- They need extra authentication at the online service for some reason.3 The service sends a text message with a code to the mobile number on record.
- Since that mobile number on record is the old number, and they no longer have access to texts sent to that number, they cannot complete the extra authentication.
- In the worse case, they are now permanently locked out of their own account.
I see it often.
If you get a new number, change it everywhere.
The risks of change: #2
Honestly, I recently heard of this scenario, and it surprised the heck out of me.
- You get a new phone number.
- You don’t update various accounts using your old phone number.
- Time passes.
- Your old phone number is released for re-use. (Phone numbers are a finite resource, so yes, they are reused after some undefined period.)
- Someone else gets assigned your old phone number.
- They use that number to sign in to a service that happens to be a service you use.
- By mistake, they sign into your account on that service.
There’s nothing malicious here; it’s just a side effect of your old number being recycled and your failure to change your number at the service in question.
And yes, this shocks me. I would expect a service to require something more than only a text message to sign in. (A password would be good.) But apparently, as I discovered on a recent episode of the Smashing Security podcast, it’s a thing.
Do this
If at all possible, keep your existing mobile number when replacing your phone or changing providers.
If you do change your phone number, make certain to visit all the accounts at which you used the old one as recovery information or second-factor authorization. You risk losing access to that account permanently if you don’t, and for some accounts, you might also be allowing someone else to access it.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Great advice.
I would add that wherever you are able to, add a second method of recovery using your email address.
This is a subject where using a password manager becomes a tool to help make the changes. If one changes their telephone number or email address, a password manager makes it easier to go through all the accounts and update the account information.
Ideally, users should have two methods setup to verify their accounts, email and phone number. Getting a different phone number could make it difficult to login if the old number isn’t available. Having the email as a backup method would keep users from getting locked out.
I’ve gotten into a habit of periodically checking my account information on websites to verify my information and to see if any changes have been made to account recovery procedures. It is better to know beforehand how to recover an account than trying to do it on the fly.
The problem that I see people encounter is this: they’ve configured both an email and a phone number, but the system insists on using the phone number. A problem if that’s no longer your phone number. Honestly, I don’t understand it, but this happens with some of the big players, not just small ones that are prone to getting things wrong.
I don’t know how it works in the US because my US phone # is under a family plan, but in Europe, you can take your phone number to a different carrier for a small (~$25) fee. The new carrier usually gives you a transfer bonus that covers the transfer fee.
I’m in the UK and I still have the number I got with my first mobile phone 20-odd years ago. I tend to buy the phone outright and have a separate SIM contract so it’s easy to transfer the existing SIM card to a new phone. If you wish to move to a new provider you send a text to your existing one and they are obliged to send you a code to give to the new provider. The number gets transferred in a couple of days.
This is also true for an old (but heavily used) email account… until all the old usage is gone (accounts closed or reconfigured), it is an important vector… something to also remember as an estate administrator.
This item provides great information, and it’s something I haven’t considered until now, so I’ll probably be spending a large part of the rest of today going through all the accounts I have stored in my password manager’s vault, to make sure my recovery information is up-to-date. Additionally, I’m adding this procedure to my check-list of annual maintenance routines. It’s a good thing that I don’t have too many annual system maintenance routines. Most are monthly, or bi-annual.
Ernie (Oldster)
You didn’t mention the issue of moving from one geographical location to another. In the “old days,” [I’m an old-timer :) ], whenever you physically moved from old home to new home, you automatically were assigned a new number by Ma Bell. Nowadays, what happens when you move from one area code to another? A person might assume they would HAVE to get a new number in that scenario. If everybody keeps their mobile numbers forever, area codes are rendered meaningless. There’s really no way to tell if someone who is calling you is local or from across the country. At the individual level, however, there’s obvious advantages in keeping the same number forever, as the article stated.
There are pros and cons to most things. It’s a small inconvenience not knowing whare a call is coming from, but the convenience of having the same phone number for the rest of your life, in my opinion, greatly outweigs that. I don’t answer if the caller ID is not in my contacts. Probably, not many people can do this, but being retired, I’m not expecting calls from people I don’t know.
Yes, area codes are becoming more and more meaningless.
This brings up a related query. I keep reading about the merits of a passkey because it is a function of your device. WHAT IF MY DEVICE GOES BELLY UP?
Mel
That’s what recovery codes are for. :)
Ernie (Oldster)
Passkeys are never the only way in. https://askleo.com/passkeys-and-disaster-planning/
Without a passkey — say it’s gone, or you move to a different machine — then you use a different, typically more cumbersome authentication approach, ONCE. Like sending a code to your email address, or similar.
This (the purpose of the article) is why I STRONGLY advises everyone to keep a database with all account related information nearby and updated. It can be a notebook hidden in a safe, post-it notes on the inside of the freezer door, a Password Manager (assuming it will allow for all the pertinent information to be stored – not all will) or an encrypted database file, kept locally on encrypted drives. Anything that ‘works for you’ and that can be kept secured.
Log everything from Site/services names, user IDs, passwords (do not need to be in clear text – use a coding scheme), associated e-mail addresses, web sites, phone numbers, when added, when changed, what type of 2FA and when added, if there is any payment information associated and of what type (bank, PP, CC, Venmo, etc), answers to secret questions (again, they do not need to be in clear text, you can ‘code’ them via a personal scheme). Also log when last accessed, etc.
This project might seem daunting, but pretty easy to compile over time. You will also be stunned to find that most anyone with any online activity is likely to have several hundred accounts (and of course, associated passwords…). And once done, life literally is much easier – and safer. Very easy to keep updated as things change.
Highly recommended is also to share with someone how – in the vent of a too early demise – a trusted family or friend can access this information (can be one person who knows ‘how’, and one person who can ‘get’ access, etc).
I use a an encrypted .zip file to hold my password manager’s vault backup, financial information, and spread sheets with other sensitive information. I like it all in one place, Actually they are in a few places because of backups, but they all stay together in most of my copies. I like .zip because I can open my files on any machine via the OneDrive website.