eSIM and the Future of Secure Digital Identity

Nora Farkas -
Illustration: © IoT For All

How do you prove you are who you say you are? In the real world, it’s likely by showing a physical document: a driving license, an ID card, or a passport. Online, it might be by keying in a password, answering some security questions, or providing a one-time code from an authentication service.

These methods have proven just about workable up to now, but the cracks are getting harder to ignore. Europol lists document fraud as a major engine of organized crime in the physical world, supporting a wide range of criminal activities from human trafficking to money laundering.

At the same time, proving identity online has become a huge headache for consumers, who now typically have around 100 passwords to remember. Any attempt to make that task easier – using the same password on different sites or by using loved ones’ or pets’ names – brings the risk of identity theft, a crime that in 2020 was reported 1.4 million times in the US alone.

IoT and New Authentication Challenges

Finding a simple, secure way of proving human identity is hard enough. But below the surface, an even bigger challenge is brewing. By 2025, nearly 31 billion devices – from blood sugar monitors to smart packaging labels – will be connected to the Internet of Things. They, too, will need a means of authenticating themselves so that they can exchange data across networks in a trusted and secure way.

Fortunately, there is a way to solve the secure digital identity problem for humans and IoT-connected devices. And, interestingly for CSPs, it all comes down to the humble SIM.

The Subscriber Identity Module (SIM) has long been storing user credentials on a mobile handset and using those credentials to authenticate the user on the network. As a function, secure digital identity is only becoming more critical. But as the world gets more connected, the removable SIM is no longer the best way to manage it.

SIMs have always been clunky to use and manage – taking up real estate on the device, consuming battery power, and having to be manually swapped to connect to a different network. They’re annoying for users as they’re fiddly to remove, can easily be lost or broken, and require time and effort to connect to the network. They also rack up costs for CSPs, who have to purchase them in bulk, ship them to stores and customers, and track and manage them throughout their lifetime.

As more devices of more types connect to the network, the removable SIM becomes less and less fit for purpose. In its wake are coming two more IoT-compatible SIM formats: eSIM and iSIM.


eSIM is still a hardware chip but, at 6 x 5mm, it’s almost half the size of the smallest removable SIM card. Rather than being supplied separately post-purchase and slotted into a port, it’s embedded on the motherboard and ships with the device. Crucially, that means it can be provisioned over the air – and out of the box – by whichever provider the customer chooses to supply the connectivity.

eSIMs have space for multiple operator profiles, making them attractive for users as they can switch providers without changing the SIM. For CSPs, significantly reduce operating costs as there’s no hardware to buy, distribute or manage.

Less invitingly, they may also weaken the relationship with customers, who are no longer locked into one network and can easily buy a device and connectivity from anywhere. But on the flipside,

remote control over device subscriptions can accelerate time to market for new and differentiated services – providing an alternative route for CSPs to gain customer satisfaction and loyalty.

Furthermore, eSIMs will enable simple, out-of-the-box connectivity for all kinds of devices, from foldable phones to fitness wearables, connected cars, and AR glasses. And because they’re theft-proof, tamper-proof, and likely to become pretty ubiquitous – over six billion eSIM- and iSIM-capable devices will have shipped by 2025 – they’re also a strong candidate to replace paper documents and passwords for identity verification.

That’s good news for consumers, who may soon be able to use their eSIM as a secure ID token for everything from opening a bank account to logging into the exercise bike at the gym. It’s even better news for the hundreds of millions of people who lack official proof of identity documents like a passport or birth certificate. To date, the World Bank estimates that there are 1 billion people without official proof of identity worldwide. For the economically excluded, eSIM could help close the digital divide by providing a secure enough digital ID to open a bank account or purchase land.

It’s also potentially good news for CSPs because it creates an opportunity to play a key role in the future digital economy. Someone will need to provide the verification and authentication services for eSIM-based digital identity initiatives. As the GSMA noted in its 2020 report, Mobile Identity: Enabling the Digital World, mobile operators are well-positioned to deliver on that requirement.

From eSIM to iSIM: Enabling Secure Digital Identity At Scale

But while eSIM is a promising solution to human-scale digital ID and verification challenges, it’s less well equipped to authenticate the billions of ‘things that will soon be connected to the IoT. eSIM may be small, but it’s not small enough for paper-thin devices like pharmaceutical giant Bayer’s smart label. It also consumes too much power for long-life devices like smart meters and agricultural soil moisture sensors, whose battery needs to last for years.

Emerging IoT applications like these require a different type of SIM: one that, like eSIM, can be provisioned and managed over the air, but which uses minimal space and power, is manageable at a massive scale, and stores credentials in a secure environment that’s highly resistant to hacking.

Enter iSIM.

Unlike its predecessors, iSIM is not hardware-based but software-based, and it lives not on a dedicated chip but in a secure enclave on the device’s core processor. There, nestled deep within the processor’s system-on-chip (SoC) architecture, it can act as a single, secure Root of Trust (RoT) for every application that runs on the device.

iSIM is set to be the technology that allows every IoT device to authenticate itself to a 5G network, laying the foundations for the secure exchange of data in a hyperconnected world. As with eSIM, that creates an opportunity for CSPs to provide authentication services to any organization that relies on secure data transfer between IoT devices, edge cloud servers, and central cloud platforms.

As a more secure and cost-effective option for original equipment manufacturers (OEMs), with a simpler supply chain, iSIM is also set to play a bigger role than eSIM in the evolution to SIM-based authentication of human users.

However, unlike eSIM, which has already been adopted as a standard and is shipping in devices today, iSIM’s future capabilities still have to clear the standardization hurdle. Support for iSIM is that it’s likely to become standard in all devices in the next few years. But it’s already being used by Arm, Altair, DT, and Qualcomm, and some iSIMs have already been adopted by the device manufacturers. In addition, new standards are emerging like GSMA’s IoT SAFE security architecture and Secured Applications for Mobile (SAM), as well as ETSI’s Smart Secure Platform, paving the way for new digital identity use cases and services.

New Partners and Resources

For CSPs, then, both eSIM and iSIM open up new realms of opportunity. The capacity for remote provisioning means CSPs can activate user subscriptions out of the box, creating a seamless customer experience and paving the way for new offers and subscription services. Meanwhile, the ability to provide a secure and trusted digital ID may also land some CSPs a new role as authentication service providers to governments and businesses.

To make the most of these opportunities, CSPs will need to forge new partnerships and invest in new software solutions. eSIM and iSIM cut traditional SIM vendors out of the loop, so CSPs will need to get closer to device manufacturers and SoC vendors to co-develop products and services. CSPs with an ambition to support national e-ID schemes should aim to join relevant consortia and public-private initiatives.

CSPs will also need a remote provisioning and management platform that enables these new SIM generations to be managed at an IoT scale cost-efficiently. That’s a function best performed in the cloud, which can scale to manage the potentially billions of devices and SIM profiles that may connect to a CSP’s network.

With eSIM already disrupting the connectivity value chain and iSIM set to disrupt it further, there are risks and opportunities for CSPs. “Mobile operators have been reluctant to move on eSIM and iSIM because they see the SIM card as the key point of leverage,” says Peter Richardson of Counterpoint Research. But with the IoT bringing huge new opportunities, CSPs that shed that mindset and embrace eSIM and iSIM stand to gain valuable new revenue streams in a hyperconnected world.

Nora Farkas - Portfolio Marketing Manager, Nokia, Nokia

Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.