eSIM only iPhone

Tuesday, September 27th, 02022 at 13:31 UTC

An eSIM is a chip inside the phone that can be easily reprogrammed to be a virtual SIM card for any carrier. This has several benefits: one being space savings. Another means being able to jump onto a local countries phone network at a local rate just by downloading a SIM card from a local provider.

This all sounds great, until you realize that, in Iceland, many years of work with online identity is hinged on that physical SIM card with an extra PKI authentication. Years ago, everyone had to swap to these new SIM cards and go to their bank or telco and get it setup with a PIN to unlock the authentication.

Iceland has a service iceland.is which is a Single Sign-On provider (run by a private company). There are three ways to authenticate yourself. The first is a name and password. This works, but this cannot be used for contracts and some more sensitive services like medical records. The highest form of login is a physical card which inserts into a card reader. These are used in governmental and banking sectors, but not the general public. The other, most popular option is something called the electronic ID (Rafræn skilríki). It looks and feels like an SMS 2FA service, but it isn’t. It is actually an ‘out of band’ challenge response. You enter your phone number, then via the phone network, your phone gets a full-screen take over and prompts you for your PIN code. That unlocks the PKI chip to sign the request back to their server.

Using Electronic ID is an acceptable way to sign a contract and gets you into health services, acts as a way to remotely verify you, and more.

When we want to log into our bank, we have several options, but when using island.is we simply enter our phone number on the bank’s website.

A moment later, our phone lights-up full screen asking for a PIN code. Sometimes it shows a random number so you can prove the message came from the banking website. After you enter your PIN and agree (several times), island.is authenticates you and send some information back to the bank (Full Name, auth method, kennitala – social security number, and a few other fields). The bank matches that to their internal accounts and off we go.

This full-screen PIN challenge response is handled on the SIM with the special PKI signing capabilities. We’ve been repeatedly told that eSIMs are not capable of this!

Every website in Iceland using the Electronic ID will not work on these new iPhones!

There are fixes. The first is to write more code to support island.is‘ auðkenni app. It does a similar thing as the electronic ID, except instead of using the out-of-band phone network it is using the app and internet. You are shown a 4-digit number which corresponds to the number shown on the website to prevent phishing attacks. When you answer the challenge response by entering your pin, you are logged into the website.

The downside is that to set it up without a PKI capable SIM, you need to physically go to a registration center in person. Every time you need to set this up on a device, it is a trip to the nearest bank!

The more drastic measure is to remove island.is from your authentication stack and use something else, like SMS (which is not secure) or a QR code for One-Time Passwords (OTP, TOTP or HOTP). A third option is to drop passwords altogether and move to PassKeys.

For us, we’re not exactly sure which way we’ll go, to adapt the code to the auðkenni app doesn’t look fun (long polling, only Android sandbox right now, etc.) and this free service will soon be charging (similar rate to SMS), so it might be the end-of-the-road for us and island.is.

Being mindful of all our customers, over the last year, we moved them from name/passwords to using island.is’ Electronic ID, then asking them to go back to another method so soon isn’t a best-practice.

(In that transition from names/passwords to Electronic ID, we had support requests from organizations that were sharing passwords. With Electron IDs team members longer could no longer login as their boss, since the out-of-band authentication would require them to have access to their boss’ phone and PIN, which undermines lots of other services and certainly wouldn’t be shared. It did help us clean-up our customer data and made a stricter permission system when everyone had to login as their real-selves.)

Using the Electronic ID has benefits! Our sign-up form completely stopped getting spam bots filling it out. If user-account creation is tied to a real-world identity, then we know the signup was legit, secure and the agreed contract was enforceable. We lose that if we move back to passwords/keys/2FA.

Once SIM-less phones make their way to Iceland, we’ll see how many services we won’t be able to use and how fast they mange to update their systems and to what new login method!

We’re not sure yet how we’ll respond. The clock is ticking, we estimate we have 12-14 months to come-up with a solution for the super early adopters.