Working remotely – enabling the next generation of SIM provisioning

Yves Portalier is Vice President & General Manager for the Telecom Business Unit at Morpho (Safran)

Yves PORTALIERThe SIM card has played a unique role in the rapid rise of mobile devices and applications since the first GSM products arrived over 25 years ago, combining security of network connections and a high level of interoperability across multiple brands and generations of devices. Today we have begun to see acceleration in multiple markets, with Internet of Things (IoT) perhaps showing the most dramatic growth, thanks to the ever-growing use of data. This has created a need to rapidly consider and define evolutions in the SIM card to address additional categories of products and services so that both customers and operators benefit.


Safran Embedded SIM The subscriber identity module (SIM) has two main purposes: the first is to hold the unique reference number (integrated circuit card identifier or ICC-ID) that identifies the card and user to the network and which enables calls and data communication, and the second is to secure authentication to the network and services through holding the international mobile subscriber identity (IMSI) and its encryption key. Over time SIM cards have shrunk from the credit-card sized “1FF” down to the “4FF” (nano SIM) all the way to new and even smaller ones: the embedded form factors (such as those known as MFF2). These new SIMs still identify the user and authenticate the device, and support the latest generation of networks such as 4G LTE, while also enabling the execution of highly secured applications such as payment and authentication for services.

Embedded form factors enabling the SIM to be embedded or soldered onto a printed circuit board are not new. Industrial M2M devices have had soldered SIMs for some time, but today operator profiles are also usually embedded into the SIM at the same time and permanently. Being able to deliver flexible subscription management and changes in operator profile data appeared as new use cases and market demands evolved, driven by the need for simpler deployments of M2M devices and services.

In our increasingly mobile-first world, the new generation of connected devices has reinforced this need for flexibility and improving the development, deployment and usage of these newer categories of IoT products. As a result much work has gone into developing new specifications to enable interoperable solutions and systems for flexible subscription management. These are now being commercially deployed in the M2M sector.


Taking a consumer device perspective, it has been necessary to review use cases and put the end user and maximizing the user experience at the centre of the solution. Basically this means the Remote SIM Provisioning (RSP) specification must enable the end users to change their operator profile data on the SIM remotely, securely, and without having to remove the SIM or log into a complex control panel. They simply need to select the desired subscription for their device.

As such the SIM card becomes a product that is customizable throughout its lifetime and has the potential for supporting future SIM and profile evolutions. Beyond the question of the form factor of the SIM (removable or soldered), it looks likely that the challenges we can expect are with new generations of software supporting the deployment of the growing Connected Consumer Device market.

A customizable SIM card could be truly industry-transforming. In the past, changes in SIM card sizes were not really industry-shaking but eSIM and RSP have the potential to be true disruptors and offer mobile service providers great opportunities for innovation.



Over the past 25 years SIM vendors have become trusted partners to mobile network operators (MNOs), delivering unique cards and credentials to them. Data flows between them and enables SIM cards in the field to be securely activated, purchased by customers and inserted and activated in a device.

RSP will change the relationship between device vendors, SIM vendors and MNOs. Managing secret MNO keys required to generate unique SIM configurations will continue, but how we deliver this data will change, becoming a separate service executed once customers activate a device’s connection.

Similarly, the embedded SIM (eSIM) needs to fulfil several things to ensure its full interoperability. It must be able to perform operations no matter which MNO or SIM vendor is involved. MNOs may also need to download new or revised SIM configurations they were not involved in defining, and therefore interoperable specifications and chains of certificated processes are needed to enable levels of trust to be established.

GSMA workgroups defined specifications that help ensure trust and interoperability between parties. So no matter the company’s role, product and service design benefit from guidelines agreed between major stakeholders – an approach which should be to the advantage of all.

Scalability is also vital to commercial success and to ensuring secure interoperability. Consumer devices always display peaks in demand for SIMs and profiles such as when devices are given as gifts and when major new devices are launched. Global subscription management systems must be highly scalable to cope with the millions of operations on multiple variants of SIM cards that take place around the world.

Communicating and correctly implementing these specifications ensures the various industry players can focus development on products and services while leveraging a powerful and flexible way of managing subscriptions.


eSIMs must have the same levels of security that removable SIMs have always had. This means designing a global system that addresses the many connected services, while the eSIM itself must meet all security demands and constraints. It must be open to changes but closed to attacks, whatever the device in question. This is vital to enabling MNOs to ensure convenience and security of connectivity for end users. In practical terms, this means that having tamper-resistant hardware, with fully-integrated, optimized and secured software, is the best way of ensuring future-proof implementations.


For the last 3 years the connected devices industry has focussed intently on delivering the secure, interoperable and flexible capabilities of RSP, initially for M2M and latterly for consumer devices. As these solutions become commercially deployed, the industry must move on to how to further enhance the end user experience. Frictionless connectivity is the key to successful commercial adoption of so many solutions and services, and as they become more closely integrated with identity and payment solutions, the smooth and secure biometric registration of customers, and management of verified identities within secure elements is the likely next step for flexible connectivity management.