Securing SMS Based Authentication: Handling Recycled Phone Numbers
SMS authentication works well as part of a 2-factor authentication scheme, on its own? Not so much.
If the phone number and the value of the code sent in the SMS are the only things required to login, then this is vulnerable not just to recycled numbers but anyone who knows the number and can read SMS’s sent to it.
Since you were specifically asking about recycled numbers, then really the only ways to defend against this threat model are either for the user to ensure that they deactivate the link between the account and the phone number or for the operator of the site to use a service which provides phone number deactivation information such as PhoneID:
https://www.telesign.com/products/phone-id/
This uses data from telco providers to indicate when a number has been deactivated or changed hands, etc.