… as it seems sort of insecure without a secret/password involved

It’s as secure as social logins. How does moving to a different Google account than the one used to sign up on StackExchange makes SE insecure?

What happens if the user switches phone numbers? Can they access their account or need to go through some kind of customer service?

It depends. This is a pure business decision. Some providers won’t allow you. Not even the mighty WhatsApp allow it. Hinge either. At the moment. For whatever reason.

It doesn’t mean that this kind of “migration” is not possible. Technically is, but the design must support it and we know what drives design.

How would you prove the new owner was tied to the old number?

Good question. It’s very hard to prove. We never have the reassurance that the person on the other side is the owner of anything (account, phone, phone number, …). Anybody can be impersonated.

However, we can mitigate the uncertainty. One way is requesting information about the owner that only the owner and you know¹. Another way is asking about the activity up to a certain date.

Could someone else access the original account if they later obtained the original number?

It depends. Have you removed the account? Does the account expire after a certain period of inactivity? Have you communicated the problem to the provider of the app?

No? then yes, it’s possible but it depends on the probability that someone else will get your phone number, install and run the app. All of this before you remove the account or before it expires.

Do you need to keep track of device information to identify
when a new device is authenticating with a phone number?

Tracking device information and user activity is a good feature to have because it gives you something to ask the user about, as I mentioned previously. Banks track expenses, activity and locations so they can notify if any expense or activity is detected out of the ordinary. Gmail so does when we access the account from different devices.

The bank is likely to make a call to inform you about suspicious credit card activity and Gmail will send an email informing you about the recent activity carried from a different device and will ask you for verification.

^{1: Years ago, we used to have secret questions and answers to recover accounts.}

If you think about it it is fairly secure.

1. User installs App
2. Clicks signup, Enters name, enters phone number, gets SMS, clicks confirm

Here the app can generate a unique Id to use as a account Id and a random password which are not shown to the user, as well as a username and a phone number, which the user knows.

The app can then sign in to the servers auth server and get a long refresh token.

Pretty much the same as signing up to any service, Except that the user has already forgotten their password.

• Phone is destroyed.

User buys new phone downloads app and “resets password” by going through the sms confirmation again

• User changes phone number

User puts new sim in phone and loads App. The app still has the stored account details, so you can log on and change your number.

• User loses phone AND changes phone number

Well here you are screwed, but are you any worse off than say if you forgot your email pass and hadn’t setup some alternate contact method?

Presumably any app provider can also have a “add your email” or “add three factor auth” in the settings if its a concern.

• Users phone is cloned (someone else gets their phone number)

Here we also have a risk, because its hard to distinguish the difference between this and the “App is deleted” scenario.

Even so you can detect that more the one device is connected at the same time and warn the user