undefined | Better HN

0 pointsmherrmann9y ago0 comments

Most of the internet runs on usernames/passwords. I understand that a hardware token (with a PIN) is more secure. But is it worth the added complexity?

0 comments

pjc509y ago

The SIM protects the carrier against "account sharing". It allows them to be sure that a subscriber is only using one phone at once - although it's portable between phones.

It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.

(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.

jacquesm9y ago

Account sharing in a telco context is a bad thing all around. Which phone would you like to ring? How do you ensure the charges really are made by (and to) the right person? How will you protect against messages with important information landing with the wrong party?

Authentication in a telco context is a good thing, the fact that the web doesn't have it enabled a large number of applications to flourish, it also made some other things devilishly hard, or even almost impossible.

bogomipz9y ago

Carriers do maintain sessions centrally though. These are the HLR and VLR - home location register and visitor location register. This is how "hand offs" between towers work. Handsets don't authenticate to the base station, the base station proxies those back to the MSC, mobile switching center and are looked up in the EIR - Equipment Identity Register.

eropple9y ago

Do you happen to know of a good breakdown of how mobile networks work? I'd love to know more, but it's hard to get a handle on it to get started.

1 more reply

baybal29y ago

>It allows them to be sure that a subscriber is only using one phone at once

Only on home network, everybody who knows your IMSI and have low level access to phone network can clone your identity in roaming.

user59944619y ago

There is no added complexity. Just buy a SIM card and put it in your phone. It is very simple and straightforward.

The alternatives are worse in usability AND security.

jacquesm9y ago

> But is it worth the added complexity?

If you don't want your account to be hacked: yes.

Sanddancer9y ago

I'd very much argue that a hardware token is more secure, and less complex, especially with multiple devices. It's a lot easier to remember where you put your smart card than to need to get a password store somewhere shareable, to secure that, to remember to put passwords in the store, etc.

j / k navigate · click thread line to collapse

0 comments

pjc509y ago

The SIM protects the carrier against "account sharing". It allows them to be sure that a subscriber is only using one phone at once - although it's portable between phones.

(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.

jacquesm9y ago

bogomipz9y ago

eropple9y ago

Do you happen to know of a good breakdown of how mobile networks work? I'd love to know more, but it's hard to get a handle on it to get started.

1 more reply

baybal29y ago

>It allows them to be sure that a subscriber is only using one phone at once

Only on home network, everybody who knows your IMSI and have low level access to phone network can clone your identity in roaming.

user59944619y ago

There is no added complexity. Just buy a SIM card and put it in your phone. It is very simple and straightforward.

The alternatives are worse in usability AND security.

jacquesm9y ago

> But is it worth the added complexity?

If you don't want your account to be hacked: yes.

Sanddancer9y ago

j / k navigate · click thread line to collapse