177 comments

[ 2.1 ms ] story [ 213 ms ] thread
Now that's interesting.

Normally, the entire point of having a SIM in the first place is to have a secure storage element for the crypto keys authenticating the subscriber to the network... so similar to a TPM, it doesn't make sense for anyone to be able to extract the private key material, while it does make sense to be able to import new key material while at the same time only allowing authorized parties to do so - hence the entire dance with eSIM provisioning and multiple layers of cryptography involved.

But what's described in the article, at least to me, is that the source eSIM only creates some sort of token that a backend in the carrier then uses to provision a new set of keys for the destination device - so there will at least be some sort of record of such a change, and hopefully a way to prevent eSIM transfers... because otherwise this will be a pretty nasty attack vector, all you'd need to take over someone's phone number is to get their phone unlocked in your hands.

If it's just transferring the provisioning token over to the other phone (which is what it does sounds like), I wonder why the tool is needed and one couldn't just reuse the QR code used to install the eSIM initially.
Depends on the carrier if the QR code can be re-used.
I've never seen a reusable QR code. Even worse, if there's a hiccup during provisioning it's usually immediately invalidated and you need to spend time with customer support to get issued a new one.
eSIMs are superficially about "making phones smaller" and waterproofing.

What eSIMs really are about: the industry fighting back against regulations restricting their anti-competitive SIM and carrier locking.

eSIMs are about is stripping owners of the control they have via pulling the physical SIM and putting it in another phone.

Nothing a quick regulation can't solve. If EU could make Apple use USB-C and enable non-Webkit browsers, I'm sure same could be done to fix eSIM.
See you in 2035

Unfortunately we have to suffer for a long time before regulation follows, if ever.

Then regulation follows and we get cookie banners sometimes.

Sometimes you get free roaming and flat rate data tariffs …
It is just adapting existing laws to esims. Won't be nearly that long.

In the meantime, don't buy esims. Nothing but drawbacks.

I find buying local eSIMs when traveling internationally to be much more convenient than physical SIMs
Maybe, never had a need. But even more reason to have a physical sim for your primary service.
Sometimes we get cookie banners, sometimes we get EC 261, Schengen, or USB-C.

The root cause of the cookie banner problem was implementing third-party cookies in the first place. Regulation is like violence; in both that if it doesn't work you just need more, and that if you needed to resort to it you've already fucked up.

We can't wind the clock back and give Netscape a slap, or stop the operators from introducing SIM-lock on handsets. The next best thing is to fix it now, and yeah, sometimes the wheels have to turn slowly.

What else do you propose we do? Refuse to use mobile data? (Actually, doesn't seem like the worst idea.)

If it was about control the carriers would block the SIM when it was moved to a different phone.
They used to do that, but it was outlawed.
Not everywhere. The typical practice was to offer steep discounts on phones (or even 'free' phones), where the phone was paid through a high subscription price. However, the high subscription price was maintained after the phone was long paid off. This was ruled illegal in The Netherlands (and many other EU countries I believe), first because it was a loan in disguise (so the providers were bound to do credit checks), secondly because they are not allowed to continue charging the high subscription prices when the phone is already paid off.

As a result, SIM locking does not have any benefit to the providers anymore and they stopped doing that.

That said, I have used eSIMs for years now and there is not much of a real benefit outside dual SIM in phones that only have one physical SIM slot (like iPhone). When first starting a subscription it's faster, because you don't have to wait until the SIM card comes through snail mail. But after that there is always the anxiety after switching to a new phone whether the eSIM transition goes well. With most providers you have to request the eSIM through their app on your new phone, you get a second factor code on your old phone (where the SIM is still active), then an eSIM is installed on the new phone, but only activated after you remove the eSIM from the old phone. Sometimes you get an error in the middle of the process and it's not clear whether the migration is complete or not.

Another issue is that if somehow the screen of your phone is destroyed, it's hard to move the eSIM to a replacement. While with a physical card you just pop it out and put it in your new phone.

Many of the practices that were ruled illegal in your crystal-spires-and-togas utopia are alive and quite well in the stone-knives-and-bearskins hellscape across the pond. In particular, our carriers (excepting, as of yet, the German one) still whitelist handsets.
Can anyone actually cite a case of anti-lockin regulations being subverted because someone was using an esim instead of a physical sim? Not saying it doesn't happen but I'd be pretty surprised if a court suddenly said lockin is ok because they added an "e" to the SIM.
yeah I don't get this. Isn't the practical thing that esim transfers end up just being "go to your carrier's website and do a thing again"?

I feel like people with these comments don't realise that in many mobile markets carriers that do lockin don't do it via SIM cards, they do it via IMEI number locks on the phone. So even if you have a physical SIM card, you put it in another phone and it just doesn't work.

> Isn't the practical thing that esim transfers end up just being "go to your carrier's website and do a thing again"?

My carrier straight up doesn't support esim transfer as in moving the esim from one phone to an other, you have to renew / order a new one (as if you'd lost a physical sim basically).

It does not take too long once you find out you have to do that, and hunt down how to do it, but it's stressful, annoying, and dumb.

That's what I meant, yeah. Just feels like a UX issue, instead of some evil plot to prevent you from buying a new phone
I can.

I bought a bunch of cellular iPads off Amazon (“renewed”, aka refurbished) for my business. I tried out a few IoT cellular providers and the first one used regular SIM cards and they worked just fine. The second carrier (that I ultimately went with) used eSIM and while most my iPads joined up without issue I had 7 of them refuse to add the eSIM. While carriers aren’t allowed to lock iPads SIM they _are_ allowed to lock them to only work with their eSIM.

AT&T was the culprit here and you can find multiple mentions of this practice on their forums which appeared to be the only way to get help on this issue. Post a new topic, wait for customer support to come along and PM you, then ask for your iPads to be unlocked (EUICC).

AT&T Forum support ultimately told me “those iPads aren’t in our system, there is no lock on them”. I tried calling in (BTW, they won’t even talk to you unless you are a customer of theirs which, thankfully?, I was for my personal line) and spent hours on the phone with them only to be told the same thing. I want to be clear, I spent over 4 hours across multiple calls where I was told different things but ultimately told “there is nothing we can do”.

At this point I called Apple (Apple Business Manager) where I was able to talk to a real person within <1 min of dialing (normally I spent 10min in AT&T phone tree hell) and they confirmed “this is an EUICC/eSIM lock on the device by AT&T. ONLY AT&T can remove the lock”. I cannot rave enough about how easy it was to talk to ABM and how knowledgeable the person was, not to mention how they were easy to understand and immediately understood what I was asking. It was a stark difference from AT&T.

I called back into AT&T and just kept pushing until someone said they would do it and it’d be fixed in 24 hours. It was not. I had a couple more rounds with AT&T, each with 24-72 hours promises that it would be fixed. This dragged on for _weeks_.

Finally, as a hail mary before I attempted to return the troublesome iPads to Amazon (which was what AT&T support kept suggesting I do), I filed an FCC complaint and in less than 3 days AT&T reached out to me (no more automated systems) and released the lock on all my iPads. The same lock they swore didn’t exist, for iPads they swore were not “in their system”.

So yeah, there’s a case of anti-lock in being subverted with eSIM and the hell I had to go through to get it fixed.

Are you saying if you use physical SIM from AT&T on those iPads, the problem would suddenly go away? I thought regardless which kind of SIM you use, when a device joins the carrier's network, they have to identify itself with EID (or something equivalent). If AT&T has a block on that ID, why would the kind of SIM matter?

If there is a specific law forbidding carriers to put any kind of block on a device using only physical SIM, but not if eSIM, I'll be interested to know that law. And if that's the case, wouldn't it be obvious that because eSIM is a relatively new thing, the law is just lagging behind, not that eSIM inherently a bad thing?

I was able to use non-AT&T physical SIM cards without issue, I was blocked from using non-AT&T eSIMs. That’s all I know and I’m not sure on the laws around it.
Ah good old AT&T with the sleazy shit

Technically it’s not a SIM lock (also called carrier lock) in the traditional sense, AT&T calls it the carrier visibility or carrier reveal program.

It’s a BS name because it doesn’t just hide other carriers from the carrier select screen, it also actively prevents eSIM activation via QR code etc. And if you need help from AT&T CS 9/10 have never heard of this term.

For all intents and purposes it’s basically just an eSIM specific SIM lock.

But you (and anyone reading this that runs into the same issue) can use the “carrier visibility/reveal” terminology to get the issue resolved faster in the future.

> Technically it’s not a SIM lock (also called carrier lock) in the traditional sense, AT&T calls it the carrier visibility or carrier reveal program.

Yes, I forgot to mention that but I did know it at the time (I still have a doc with all those terms in it that I used when talking to the reps) and yes, almost no one knows what you are talking about. Even when I got someone to “put in a request” (which didn’t work) they sounded skeptical about what they were putting in a request for. It didn’t feel like they knew what I was talking about.

The only people that did use that term or understand it (other than the rep that contacted me after the FCC complaint) were the forum support but they told me the iPads weren’t in their system.

Sounds like the system worked as intended, you reached out to the telco regulator and the issue was resolved in 3 days. Also sounds like it isn't specifically an esim problem, but an AT&T being a shit company that tries to get away with illegal things problem and in this instance that involved an esim.

I'm more asking about cases where using an esim means the existing regulations don't apply, not instances of some shit company disobeying regulation until the regulator gets involved.

Do you have any more info how esims benefit the carrier?

I’m not in the US and superficially, it seems like esim and physical sim don’t differ that much.

I got bit by this when I bought a new iPhone recently, apparently the carrier "didn't allow" eSIM transfer so I had to go get another eSIM on my carrier's website.

How does Android protect against this? The carrier somehow disallowing it?

From the article:

> Although carrier support is still limited,

Nope. eSIM is crap on android too.

Works great for me. Sounds like your carrier is what's crap.
(comment deleted)
It does not. eSIM isn't made to help you, it's made to give control back to carrier and them money.
How is an eSIM any different from a normal one? I can get up to three eSIM (if memory serves well, did not check) from my carrier for free, plus up to two normal SIMs for free. And the carrier controls all of those anyway.

And additional SIMs are below 10 bucks.

A more general remarque so, I get it that sometimes companies monetize a tad too much. But then nobody is working for free, no service comes without cost for the provider and we all have to make money to pay our bills. Hence I do not get the "they are doing it onpy for money" attitude, especially on a site like HN with a considerable number of people making litteral FAANG money, money that comes exactly from these practices.

> considerable number of people making litteral FAANG money

As always, be careful not to confuse the sample with the distribution. The commenter you are replying to is not necessarily one of those people. Also, their statement might be matter-of-fact, not a condemnation.

Transferring eSIMs between the carriers requires their cooperation. They have to 'approve' the transfer and can drag their feet, create artificial obstacles along the way or simply refuse the transfer. Meanwhile moving traditional SIMs between phones just works
Don't many phone providers sell locked/branded phones that can only be used with their physical sims? This locking down has always existed, long before smartphones, and it's the reason I only buy phones direct from manufacturers.
> Hence I do not get the "they are doing it onpy for money" attitude, especially on a site like HN

I didn't read it as "they're doing it only for money". That indeed is perfectly understandable. I read GP as saying, they're being customer-abusive asshats.

We all need to make money to pay our bills and such, however there's a subtle but important difference between selling some good/service/labor in exchange for money, and abusing the customer to extract money from them. eSIM, per GP, is designed very much for the latter case.

> Hence I do not get the "they are doing it onpy for money" attitude, especially on a site like HN with a considerable number of people making litteral FAANG money, money that comes exactly from these practices.

As someone who designed quite a few public systems like this, I can recognize one that's built with users in mind and one that's built with profiteering in mind.

There's no reason for eSIM to not be easily transferrable between devices like pSIMs are. There's no reason that the QR codes with provisioning tokens can't be reusable and revokable like pSIM ones. There's no reason that eSIM provisioning servers work on whitelist principle where they deny all phones the carrier doesn't profit from.

And yet now we have all that. And before (at least here in Europe, I'm aware that US citizens are very used and defensive about abusive business practices by their telecoms) we didn't.

> There's no reason that eSIM provisioning servers work on whitelist principle where they deny all phones the carrier doesn't profit from.

AT&T already has a whitelist based on IMEI that works for pSIM too. https://redd.it/trfw5r

What did you try to say with that statement?
> There's no reason for eSIM to not be easily transferrable between devices like pSIMs are.

Indeed there is none:

https://support.apple.com/en-us/HT212780

> Use eSIM Quick Transfer on iPhone

> Some carriers support SIM transfers from your previous iPhone to your new iPhone without needing to contact them. You can also convert your current physical SIM card to an eSIM.

The whole page is full of what eSIM can do, but it seems carriers are not too happy about that as many block things that should be outright possible.

There are tons of weird things that are impossible just because carriers, e.g I have a phone that can do eSIM or pSIM, I have a tablet that can do mobile, eSIM or pSIM. I have a nice data plan for the phone, and it is eligible to share it with a watch and/or a tablet. Such a hypothetical watch that I don't own would be eSIM, and be able to share the data plan but somehow the exact same case for the tablet can only be done via pSIM, neither can I convert its pSIM to an eSIM, which is allowed for the phone. It makes no sense.

I've never had any additional costs incurred due to eSIM. It's always been free and instant, where as physical SIM cards I at times have had to pay a fee to swap out and it's always been a multi day process
Well, I did. Among others, the one of my carriers demanded (still does!) physical presence in their store to transfer eSIM which is a significant cost to anyone when their phone breaks. This was not the case with a small plastic card.

I've also had actual costs being charged when eSIM provisioning failed with "error -2" or whatever during travel and then carrier support refused to do anything about it (after taking my money for the card of course).

One carrier of mine demanded I appear in a physical store to issue a new physical SIM so it's not like eSIMs created or enabled that policy.
For my experience eSIM absolutely created that policy. The same carriers pSIMs still don't require that, so I'm not sure what exactly are you arguing here? The fact that your carrier has a shitty policy it's now ok to spread it?
I'm arguing shitty carriers can make shitty policies regardless of the underlying technology. It's not like eSIMs forced them to do that policy, the carrier just decided to be shitty all on their own. eSIMs can be delivered entirely digitally, so in reality they should be even easier and have even fewer needs to ever be in person.

eSIM didn't make that policy, your carrier did.

To add insult to injury, one carrier demanded this of me, then its retail store franchisees refused to issue me a SIM unless I purchased a new device or a new line so they’d make commission!
"new SIM" and "transfer SIM" are pretty different situations.
When I transfer my subscription to a new physical SIM I am issued a new SIM card, aren't I? Or do they use used SIM cards in those situations?

I've needed to go from a full-size SIM to a mini to a micro to a nano over the years. Each time was a new physical SIM, each time was more of a "transfer" to the new SIM card.

Those situations you are describing are "new SIM".

The pretty different situation, the one izacus was complaining about, is when you take your active SIM out of one device and put it into a different device. eSIM broke this for them.

(comment deleted)
Once again, eSIM didn't break this for them, their carrier's shitty eSIM policy broke it. There's little reason why they couldn't provision it through a web page or other forms. It's practically the same thing as needing to come into the store to get a new SIM because the old phone was a different size SIM or if a SIM was broken.

Provisioning an eSIM should be as simple as logging into your carrier's app or website and clicking a button or scanning a QR code. If it's any more complicated than that, your carrier sucks and you should start the porting process immediately. They're obviously customer-hostile and aren't deserving another month's subscription.

Yes the carrier sucks but the differences between normal SIMs and eSIMs enabled them to make this policy for transfers.

The reason I originally replied is because you said "it's not like eSIMs created or enabled that policy".

Even as a single policy, it affects a lot more situations now. eSIM enabled a big expansion of scope. And "different size SIM or if a SIM was broken" is significantly rarer than changing phones.

Is this a worthwhile trade-off? Saving few days and a fee but losing a physical token of a SIM?
The opposite: eSIM allows IoT devices being moved from one operator to another remotely, with no physical SIM swap. With device using physical SIM this wouldn't be economical, with eSIM remote change it can be. This allows long term users (meters, industrial connectivity, ...) not to be tied to a single MNO. They can regularly renegotiate their contract, and use competition. And the telcos really hate this, and tried to delay this happening as much as they could. Still in the end users and device makers managed to push this through the telcos throat.
The eSIM standard for embedded/internet-of-shit use is vastly different to the eSIM standard for phones and consumers. The devices could have their own standard, but as a consumer, I prefer my small metal and plastic square, thankyouverymuch.
I've had carriers block physical sim swaps. Some even charge for it.
esim allows me to provision my phone with a new phone number wherever I am.

I don't even need to go to any location, I just need someone to send me a QR code.

It is extremely helpful and a huge time saver.

Incredibly annoying - advertised "better than SIM", but really just a massive inconvenience.

The only good use-case (for the user) is buying travel eSIMs.

Another good use-case for eSIMs, at least in EU where carriers have to transfer your number within 24 hours, is moving number between carriers. Before, this involved waiting for new SIM arriving by snail mail, or having to drive to carrier's shop to pick it up, sometimes while your number was already deactivated at old carrier. With eSIM it recently took me less than 1 hour from requesting a number transfer to using it with new carrier, all without leaving house.

But it all depends on the carrier now - I heard stories of carriers who won't send you the QR code, instead requiring you to drive to their store so they can show it to you in person "for security", defeating the whole purpose.

I don't think such EU regulation exists. I transferred my number from one operator to a competitor recently. There was a one week (I believe) warning period that the transfer was announced, but could still have been cancelled.

The old operator used the week to make me 3 increasing discount offers. Had I switched just for economic reasons I could have cancelled the operation on Saturday just before the scheduled transfer at Monday noon and saved a bit of money.

It exists for sure in the UK (you should complain to Ofcom as regulator in your case) - I would assume it's the same in the EU because it's not new, and the kind of thing we shared.
https://en.wikipedia.org/wiki/Mobile_number_portability#Euro... suggests it’s not necessarily 24 hours.
Ok I was wrong, from the overview there:

> From 1 July 2019 as a result of new rules from Ofcom, In the UK a customer can request a PAC without having to speak to their provider by texting PAC to 65075.

So it's more recent than I thought (the requirement, the 'donor-led' nature it mentions and ability to do it by text has definitely existed longer at least with willing networks) and UK thing postdating leaving the EU.

I was referring to Directive 2009/136/EC Article 30 "Facilitating change of provider". https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

> Porting of numbers and their subsequent activation shall be carried out within the shortest possible time. In any case, subscribers who have concluded an agreement to port a number to a new undertaking shall have that number activated within one working day.

> In any event, loss of service during the process of porting shall not exceed one working day.

The relevant EU regulation on the matter is this[1]:

> The porting of numbers and their subsequent activation shall be carried out within the shortest possible time on the date explicitly agreed with the end-user. In any case, end-users who have concluded an agreement to port a number to a new provider shall have that number activated within one working day from the date agreed with the end-user.

My legalese is not good enough to understand what this means. The original text from the 2009 Telecoms Package[2] is worded slightly differently. Maybe member states failed to achieve the original intent and it was weakened to the current wording (as indeed, it takes longer than a day in many EU countries).

1: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A... article 106, paragraph 5

2: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A... article 30, paragraph 4

I went through porting my number in Poland 3 times, and the time between my request and the porting was about a month, so plenty of time to receive the SIM card via snail mail. In one of the cases, I walked out of the new carrier’s store with an inactive SIM card in hand.
In the UK you can get a new SIM and then transfer the number, so waiting for the new SIM to arrive by post which means there is no risk of having your number deactivated before you have your new SIM or any need to leave the house.

Once you have the new SIM the transfer is pretty quick.

The problem you are describing is therefore a regulatory one, not a technical one.

Yep, I always buy a eSIM whenever I travel because that's the only way my phone can do dual-SIM, and it's also convenient in case I come to that country again. I'd never use eSIM for my real phone number though. I don't trust software nearly as much.
What's baffling is the eSIM market seems to be substantially less competitive - you can almost always buy a local physical SIM with far more data for the same price. You'd think the cost for providing an eSIM would be less and MVNO's would be competing to drive it down.
Agree - especially annoying that there’s no reasonable and cheap plan across countries, checkout and search isn't much easier than getting a SIM card at the airport
Esims-via-app usually seem to be permanently roaming.

That means I assume they are paying roaming rates to the local providers.

Except in Germany, where you just can't buy a local SIM at all.

Actually I take that back, shady shops will sell you a SIM that can't be activated.

I'm unsure what you are talking about. I was in Germany recently and got an O2 Deutschland sim card without issue. I had to show my passport, but it was an easy process.

Things do change, so I did a quick internet search. Found plenty of websites with information on how to purchase and activate sim cards.

https://www.phonetravelwiz.com/buying-a-sim-card-in-germany-... https://abrokenbackpack.com/germany-sim-cards/

many others.

From what I've gathered, things can be a bit more difficult if you have a more exotic identity document and either want to use one of the cheaper MVNO providers (which generally don't operate any physical stores at all), or aren't in a position to visit the physical branch of one of the major carriers (Telekom, O2, Vodafone).

In that case customer identification is commonly done via the post office's Postident system (either at a physical post office, or online via video) or via some alternative video chat system, and those might not work for all passports from all countries worldwide.

>What's baffling is the eSIM market seems to be substantially less competitive - you can almost always buy a local physical SIM with far more data for the same price

Which countries? Of the few countries I traveled to, the cheapest esim (by using a esim comparison site) is cheaper than local sims for any reasonable amount of data (eg. 3 GB for a 2 week trip). The local sims sold at the airport might be "cheaper" on a per-GB basis, but they come with absurd amounts of data that you couldn't possibly use (eg. 30GB) so they are more expensive in actuality.

Yeah and here in Europe most carriers don't even support eSIM on prepaid services at all.

I always use prepaid as i hate nasty contract surprises and also because its actually cheaper here with most carriers!

That's a huge use case though. Travel eSIMs are much more convenient than landing at an airport, finding a store that has SIMs, hoping they are open, etc.
I think you can still keep the original qr code and use that no?
They expire, at least mine did.
Only a few carriers use non-expiring QR codes.
Can you clarify, was it free and relatively easy to get a new eSIM on the website?
I also hit the issue, it was trivial to get a new esim from the provider but not being able to transfer was unexpected and annoying (as I had to emergency go and hunt for a way to renew). It added frustration to the phone change, especially as esim transfer is straight up part of apple's migration assistant so I can only assume when it works it's seamless.
Basically the same experience for me as well.
Someone start a timer for the first 0 day exploit involving this
Time for Android users to abandon SMS as their 2FA.

(Everyone should stop using SMS for that anyway, btw.)

Best 2FA is a hardware device like YubiKey. I have a handful of YubiKeys, that I use in important places. Tying multiple YubiKeys to an account rather than just one is preferable IMO, because it lessens the risk of being locked out of your account when you lose a YubiKey or it breaks.

No. There is no future where everyone uses YubiKeys, too cumbersome for the average person. Passkeys it will be.
Yubikeys only allow for 25 resident keys. Clearly not ready for passkeys, but they can work as a second factor.

My setup for the next few years will be: Bitwarden to store passkeys, passwords and sensitive data and a Yubikey that I login to Bitwarden with.

If only any of my banks supported TOTP or Yubikey...
Why is this a big deal? Is it just the equivalence of copying eSIM via QR code or it can actually convert a physical SIM to eSIM in another phone?
Many services, including banks, have their users second factor auth tied to phone.

Hopefully the whole esim and namely esim transfer initiative would end phone as second factor.

And yes, I know that options for 2FA are limited in general. But phone is not the best one.

But usually the second factor is tied to a bank app that you have to register in some way, not to your SIM.
Phones are a very good solution for 2FA, considering the requirements to obtain a phone number. The only disadvantage afaict is that SMS communication is easily intercepted and not encrypted.
I thought the requirements were being a near minimum wage employee at mobile network store (in the US) or a call center employee.

Which is usually how SMS 2FA are stolen, and no one is liable for the consequences.

Which means SMS 2FA is pretty low security. Convenient for most, but secure? Hardly.

Where I live all phone numbers are tied to national ID. When you are getting a new phone number you need to provide your ID card which has a chip and it is read by a device in order to tie the number to your ID for the phone number to be activated. I assume some cryptographic signing scheme is in action.
>But phone is not the best one.

Phones are the best one.

Why?

Because (almost) everyone has one within reach.

Security enthusiasts and believers constantly fail to understand why straight passwords and to a lesser extent phone 2FA never go away: All their proposed alternatives and solutions are inconvenient.

Most people couldn't give a rotten rat's undead arse about security, but they will kill for convenience. Passwords and phone 2FA win and keep winning because they are convenient with good enough security.

The most uninformed takes always come with a healthy dose of arrogance and vulgarity.

Every part of the industry that matters has been bitten by using phone numbers as a 2FA mechanism. It's why they're actually disappearing and are being phased out in favor of apps, OTP tokens, and email codes, depending on the amount of influence technical people wield at a given org.

>in favor of apps, OTP tokens, and email codes

And all of them are some form of jank or inconvenience.

Look, most people (myself included) don't give a fucking fuck about security. Our time lost to the kabuki theater of security is worth more than the so-called "security" we gain, and that's assuming whatever is being secured is even worth securing.

A determined attacker will ignore all that and just undermine everything with social engineering against a useful customer support tech anyway.

Unless your solution is as simple as entering a password and hitting a button, which is the digital equivalent to taking out a key and unlocking your front door, it is not going to see widespread acceptance. Make your fucking security solutions convenient, not secure. kthxbai.

Even cars did away with keys because turning the ignition is an inconvenience compared to just pushing a button.

> Unless your solution is as simple as entering a password and hitting a button

What password?

I mentioned the NHS app I use in a different sub-thread, so let's try my (not very good, would not recommend but they offered decent credit balance interest) current account. I tap the app on my phone, I get a whirl of nonsense, and then:

"Verify that it's you" and I touch the fingerprint sensor on my Pixel 6.

And that's it. No passwords, no PINs, no SMS messages, no separate authenticator device

This is much more secure than real human passwords (it'll be an elliptic curve signed message, so similar to HTTPS) and much more convenient, and short of convincing me to literally send you my phone and my finger you can't trick me into giving you access.

What you say, plus the newer security schemes all have convenient side effects that end up fucking consumers over.

Consider, for example, banking apps: because 2FA via app being near-universal these days, even the web page doesn't let you use your bank account without installing the bank's app. And banks are, after MAFIAA, the biggest proponents of remote hardware attestation schemes. Thanks to that, we're reaching the point that phones that aren't locked down by Apple or Google are going to become useless. Mod/rooting scene already all but evaporated because of it - rooting your phone means fighting half the apps, including your bank, making the whole exercise not worth it.

By "phone", I think OP meant SMS.

Google and Apple could turn modern phones into convenient-to-use security keys/FIDO passkeys.

But they do? Works fine for me on GitHub, which is the place I most often use it, but also other places if I needed them on my phone.

Not only that, they also both provide the same underlying technology to 3rd party apps, because the core trick in WebAuthn uses a cryptographic hash of a DNS name, so if we put say a UUID minted by your app store in where the DNS name goes we get the same functionality, (logically collisions can happen, but they're astronomically unlikely) but customised for each phone vendor & each app.

So e.g. I tap the icon for the NHS app on my Pixel 6, it starts up to where it would want me to do nonsense with passwords and so on but nope, hold my thumb against the screen, biometric match inside the phone, therefore this is my phone, it has a FIDO-style proof that this phone, which enrolled via the laborious process with passwords and SMS and whatever, is mine and it says this is me. Now I can order routine prescription re-fills, they go in a queue, my doctor says yeah, tialaramex doesn't need to re-check those blood levels until summer, prescription approved, done.

They do, iOS Passkeys are pretty neat.
WebAuthn is an open standard and is available on all platforms and devices. There's not much reason to mention iOS, Apple's implementation of the standard is nothing unique.
I don't agree. Passwordless with yubukeys or passkeys is super convenient and much less annoying than code based 2FA.
> Hopefully the whole esim and namely esim transfer initiative would end phone as second factor.

> And yes, I know that options for 2FA are limited in general. But phone is not the best one.

Phone doesn't just mean SMS. E.g. bank apps in the EU use MFA with the bank's app directly which you have to unlock with biometrics or PIN, after unlocking your phone.

A PIN is just a short numeric password. It's not a second factor.
Anything is a second factor if it's the second way you're identifying yourself.
So I can use a password as my first factor and another password as my second factor?
The phone is the second factor. The pin just locks access to the (banking app on the ) phone.
And that is why I'm against eSIMs.

I shouldn't need the carrier's, google's or apple's permission to use different phones.

I would maybe say the same except there's one use case where esims are undeniably awesome: travelling. There are tons of apps that let you get very cheap esims in any country, so you basically never have to pay roaming charges ever again.

Before esims you would have to go and get a physical SIM from somewhere. I've done it before. It's possible, but it was much more of a pain than esims.

The only issue with them I've found is that they're delivered by QR code via email, and the only way to install them on Android (that works) is scanning a QR code with your camera. I had do ask someone to take a photo of my phone so I could scan that photo. facepalm

> There are tons of apps that let you get very cheap esims in any country, so you basically never have to pay roaming charges ever again.

... you mean, with Google/Apple's permission :)

Can you link some of those apps? I'd love to have a travel eSIM just for data.
If this can be done through Google lens, then it would be possible on device. If you share an image with the Google app it opens in lens and can scan codes.
It can't unfortunately. It's special QR scanner activity deep in Android's settings somewhere.
That's depends on the device and app, I've used Airalo on couple of Android devices and it was always one click inside the app to install the eSIM.
They're also great for corporate devices deployments. If the carrier is compatible, you can have the MDM/UEM auto-provision an eSIM during the account registration.

This also has the benefit that the user cannot take it out or lose the SIM while traveling, or do SIM-swap with another device because their manager doesn't follow procedure of contacting IT when reusing spare phones between employees, creating all sorts of mismatches in the inventory between S/N and phone number, etc.

> There are tons of apps that let you get very cheap esims

Wait. Why would you need, or want, an app for that? I'd automatically assume that any such app is a scam. These kinds of things are not what apps do, it's out of scope on restricted mobile OS.

He means that instead of buying the service on a web site he buys it in the web site packed inside an Electron "app".

He does say they're delivered via QR in the email, so the "application" is just a store frontend, it doesn't change his esim itself.

Both iOS and Android provide eSIM APIs. How else do you think carrier apps work?

Apps like Airalo, etc, are legit.

> How else do you think carrier apps work?

IDK, I've always considered carrier apps to be the prototype example of garbage / scams, next to "value-add" software shipped by printer vendors. None of the services I pay my carriers for are, or were, ever enabled or improved by an app.

They are apps because they're almost universally used on phones and apps can provide a much better UX than web sites (fight me PWA delusionists). I think you can probably do it on the web if you want too though.
I agree that apps can and do provide better UX (or at least used to, now they're just mostly wrapping webviews, which sucks) - but this class of activity is something I'd never consider using an app for in the first place. An app for a big e-commerce platform make sense. An app for one-off, transactional buying relationship? That a red flag to me.
There are always caveats and eSIMs are a double-edged sword.

I'm locked down to my current phone because of eSIM. I have two eSIMs from different countries, both necessary for long-term use (e.g. I have bank accounts in both countries, and banks want local numbers). Replacing or upgrading phone would be a tricky endeavor, with temporary outage on one of my lines, as I will be able to move only one eSIM, but not the other until I physically travel to a different country.

Sure, it's a rare edge case, but still - super inconvenient.

AT&T et al have been blocking transfers or requiring physical verification for transfers for a decade now, not exclusive to eSIM.
Hmm I can take my physical sim out and plug it into any other phone over here.

The only exception is when the destination phone is carrier locked by a contract, but they have to unlock it for a nominal fee at the end (I think it was a few eur, or maybe last time they didn't charge me anything.).

Are you referring to the fact that no one buys contract free phones in the US?

They are referring to SIM locks. ATT locks the sim to the phone so it can't be transferred if you got a subsidised phone from them.

All depends on if someone set this flag when creating your SIM and if you took their discount when buying their service.

Still a major mistake to deploy eSIM; physical SIM is an excellent security feature.

Caution: never use eSIM with your real phone number; always get a new phone number just for use with eSIM.

OTP does a way better job giving consumer absolutely control than the eSIM does for mobile providers. (Yeah, re-read that last sentence carefully).

Disclaimer: I do eUICC vulnerability analysis with eIM.

https://www.ericsson.com/en/blog/2023/12/simplifying-iot-inn...

>Caution: never use eSIM with your real phone number; always get a new phone number just for use with eSIM.

Yet again, having ported my phone number to Google Voice (GrandCentral back then), and never giving out whatever my current SIM's phone number is, pays off

How does this work? I thought GV and other VOIP numbers are becoming universally blacklisted by everyone because "sekhurity".
It’s funny, I ported my number to Google Voice, two years later I got kicked off Zelle because VOIP numbers are banned. So how do I send and receive money? Sign up Zelle with email instead. Yes, a VOIP number is a security threat (never mind Wells Fargo has known everything about me financially since forever), but a random email address is A-OK.
I can get SMS "security" codes from most services to my google voice number, but one of my banks just flat out refuses, and let me tell you it can be a huge pain in the ass if a few circumstances line up so that you cannot receive a "security" clear-text msg on your approved phone.
Sending SMS costs $$$, and the gateways are closely-guarded. There are bad actors hammering on logins to elicit SMS codes, and Zelle is charged for the service according to that volume.
There’s no separate Zelle login, and Wells Fargo proper hasn’t banned my phone number, so this explanation makes no sense whatsoever.
Zelle is a separate company that likely operates its SMS sending system separately from Wells Fargo.
There are a few stupid sites that ban VOIP numbers, but thankfully it's still very rare. The vast majority (like 90-95%) accepts just fine.

Source: GV user since Grand Central days.

I had a big carrier number that I later transferred to google voice and I've never had any issues with it since.
I have a ton of accounts. The only ones I know of actively blocking it are Elan Financial(credit card servicer) and maybe Chase. Not sure on Chase, it doesn't block it, just doesn't seem to gets msgs for 2fa.

Everything else (including paypal, fidelity, schwab, sofi, discover, capital one, to name a handful) work fine.

Your act (of going presumably SIM-less) has increased the surface area of attack on your own line by at least a thousand-fold over traditional mobile phone provider but still (probably barely) safer than eSIM.

The Internet is more harsh than telco backend infrastructure.

Genuinely curious about why you believe that. Carriers are notoriously sloppy with handling SIM swap attacks, while Google is notoriously hard to get into an account (even your own, if you happen to lose your password or 2FA).
One word: Backend.
> "One word: Backend."

Sorry, I still don't get it. Telco's backend is a mess. It has a profusion of processes and frontend systems for customer service teams to interface with user records, which creates all sort of loopholes. Any sufficiently motivated attacker can pull a SIM swap attack, as it happens frequently, and the weak link is always a variation of: a clueless agent somewhere trying to help a poor "customer" who dropped their phone in the toilet, and needs to urgently to recover the number.

Or are you suggesting that Google's GV backend is riskier than the carriers?

Actually, let's not mince words. SIM swap attacks are also enabled by literally criminal employees getting paid by other criminals for their access to the telco system.
"Yet again, having ported my phone number to Google Voice (GrandCentral back then), and never giving out whatever my current SIM's phone number is, pays off ..."

Agreed.

My phone number lives at twilio and I couldn't tell you the physical phone number on my SIM card ... I have no idea what it is without looking it up.

In addition to the obvious benefits of never caring whether you lose your phone or being vulnerable to a SIM swap there are other "telco superpowers" that come along with this arrangement:

- I can text you, from my number, from the command line (curl API)

- I can lose my phone and still send and receive SMS (again, curl API)

- I can "sanitize" incoming text messages to ascii-256, block attachments, block or alert on silent SMS, etc.

- block lists for incoming voice and SMS

- CC incoming texts to a mailspool which allows me to browse my SMS history as if it were email (this one is particularly nice).

Finally, I cannot participate in a discussion of hosted/VOIP vs. physical SIM numbers without reminding readers that a "2FA Mule" solves the problems of providers not supporting VOIP numbers for 2A:

https://kozubik.com/items/2famule/

>- I can text you, from my number, from the command line (curl API)

For SMS, Google Vooice both sends to and receives from email. I have a cronjob set up to `mail` a TextNow number that needs activity every 28 days to stay alive.

>- CC incoming texts to a mailspool which allows me to browse my SMS history as if it were email (this one is particularly nice).

Oh, I like this. I tend to delete most of my SMS-via-email, and the texts are always searchable in my Google Voice account, but can definitely see the appeal of always archiving all incoming texts with my mail so that I can use `mairix` for search.

>Finally, I cannot participate in a discussion of hosted/VOIP vs. physical SIM numbers without reminding readers that a "2FA Mule" solves the problems of providers not supporting VOIP numbers for 2A:

Nice. I do use my phone's SIM (now eSIM) number when (and only when) 2FA won't take Google Voice, but if I decide that is a meaningful security flaw, your approach would work.

Speaking of telco superpowers, I don't know if Twilio lets you do this but Google Voice has always supported voice calls by browser. The only time I make or answer a phone call on my phone is when I am away from my computer. When iOS 8 appeared, I'd enjoyed the equivalent of Continuity for years.

> Caution: never use eSIM with your real phone number; always get a new phone number just for use with eSIM.

This seems to be impractical advice with the way devices are going. Look at iPhones.

As with so many things, like physical media, the wider world will undervalue some devices which is an opportunity for those in the know. It's a consolation prize, to be sure, but it's not nothing.
> This seems to be impractical advice with the way devices are going. Look at iPhones.

Unfortunately, quite a few security practices are sometimes "impractical". If you go purely by practicality, all computers would always trust you and do as you request — what is that if not the most practical way of interacting with a computer?

You always need to decide where to place your personal trade-off, maximize in that direction, and be honest about it to yourself. If you don't care about security to this degree, buy an iPhone. If you don't care about their known shortcomings, use face ID and/or fingerprint sensors. Or buy a different phone.

> way devices are going. Look at iPhones.

Also, FTR, almost all US people have a distorted view of iPhone market share. It's only the US where they have about half the market. It's far less in the rest of the world. That said, they still have somewhat of a "technology leader" position where everyone else feels like they have to imitate it, so… meh.

people (companies) want to emulate apple because they sell devices like hotcakes, and develop or remove features that users eventually like/want/expect/don't miss, which brings down mfg cost and enables new technologies.

i don't understand why people say "meh" about companies copying apple, _as if it is apple's fault_. it's samsung, google, huawei, etc. making those decisions. if apple has 20-30% marketshare in most of the world, but has stronger fanbase, makes more money, and pushes tech boundaries, of course other companies will want to follow.

> i don't understand why people say "meh" about companies copying apple, _as if it is apple's fault_

I'm saying meh because people copying Apple include the dumb decisions Apple makes without applying their own brain. Which in case of this specific thread is removing physical SIM slots. This is both Apple's fault for making a questionable decision as well as other companies for copying it.

> if apple has 20-30% marketshare in most of the world

Apple's global market share in 2023 was just about 20%, carried by it being 39% in the US; as such it is in fact below 20% in most of the world.

I'd much prefer companies actually follow NIST and stop using SMS for any type of authentication.

eSIM has the advantage of allowing me to switch to cheaper services without paying $10 and waiting for a physical card to arrive. Is it's security crap? Well so is the security of my mobile provider's kiosk minimum-wager workers.

> without paying $10

Reducing delays to near instantaneous is an argument, but having to pay $10 for a physical SIM sounds like a scam. Yet I've seen providers making people pay for eSIM as well so it seems they like to do this.

On my provider, physical SIM are free and available under 24h. eSIM are free as well and I haven't seen a single SIM on any local provider more expensive than 1€.

>I'd much prefer companies actually follow NIST and stop using SMS for any type of authentication.

I still like the feature that I keep my number as long as I pay. With other 2FA I'm always one device failure from permanent lockout.

You don't backup your 2FAs?
Many authenticators do not allow you to backup, much less peer into your hash algorithms used nor secret keys.
I’d add a caveat.

Namely that physical SIMs are an excellent security feature, provided carriers aren’t cavalier about managing them.

Nowadays US carriers put up a few more hurdles here and there after some highly publicized issues, but it’s still bonkers that I can ultimately just read off the ICCID of a card in my possession and get a number ported to it.

Most European carriers don’t allow you to bring your own SIM and will instead only link numbers to SIMs issued to the customer by themselves.

That in and of itself would make things safer, but, and this practice varies from carrier to carrier and country to country, often times they require in-person pickup with ID check or courier delivery with ID scan. Although there are also plenty that just send it to the address on file.

Never heard before this was possible. Do you have some example which carrier allows to bring your own SIM? Ideally, if you have some support page handy that’d explain the process.

Honestly, with normal SIM cards this shouldn’t be possible, as you cannot program the keys into the card. There are some eSIM-on-SIM-cards that you could use if your phone isn’t eSIM capable. But again, would be nice to check.

you can buy tmo sims off amazon and activate them by id
> as you cannot program the keys into the card

You don't need to program the keys into the card, you program the card's identity/public key into the network.

Mobile Networks use symmetric keys for mutual authentication. You need the same key both in SIM and the carriers database.

What I guess you mean is, you buy an inactive SIM from Vodafone (which has Vodafone-known keys on it), and then you’re telling Vodafone to use that card.

By „bring your SIM“ I thought of something non-branded and was surprised.

Essentially that is what’s happening with eSIM, hence the need for the provisioning step that also makes transferring hard.

> Most European carriers don’t allow you to bring your own SIM

Coincidentally, SIM swapping is unheard of in a majority of European countries. ENISA claims about half of European telcos had zero(!) incidents in 2021. (That stat was easiest to find)

Interestingly, here in India, I have had one of the smoothest transfers from physical to eSIM and between eSIMs to new phones (so far). They have itemized steps to follow, and unlike in 2015-2016, these days, I don't even need to talk to customer support. I have done this while I still had access to my old phone (simpler), and eSIM-ed to the new phone. I have also successfully done it after I had no access to the old phone with Apple's buyback-replacement program when the guy who came to my home gave me the new phone, taking away the old one.

The one key thing that happened is that they sent me confirmations and steps to the email attached to my carrier. Besides that, the security features kick in, where I can make/receive calls, but data/SMS on that number is blocked for the next 24 hours (so, no 2FA and other credentials).

Interesting, which carrier?

I was told by AirTel transferring my eSIM is not supported. I had to go to a store to get a new SIM (physical this time).

Mine is AirTel and I was successful quite a few times.
I wait for a "NEW revolution", the plain old ability to log-in to services via a terminal of some kind with personal credential instead of being bound to a specific device... Because that's what we talk about.

Big tech do it's best to trap users, let's say WA tied to a mobile phone number that after some time surrender and allow for a web access, still keeping the user trapped, but a bit less.

You can enslave as much as you can, a step at a time the barrier will drop. New others will be built and so on, why keeping up the fight?

eSIMs are great.

I have 4 eSIMs on my Pixel 7, 2 active, it's amazing.

Getting a new eSIM is also so easy, don't have to wait for a physical sim card to arrive.

eSIMs are purportedly great until you try to use them in a small cell deployment and literally nobody wants to talk to a single-cell CBRS operator to deploy eSIMs.

I hate the large-scale corporate gatekeeping combined with how insane the GSMA's security requirements and bullshit cert chains keep me from provisioning my own eSIMs for my own network compared to just buying a bunch of ISIMs from China to program in a reader.

It would be nice if we had an open-source eSIM software emulator. However I think this requires secret crypto keys that are only available to chip manufacturers?