Skip to main content

SIMple ID: QR Codes for Authentication Using Basic Mobile Phones in Developing Countries

  • Conference paper
  • First Online:
Security and Trust Management (STM 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13867))

Included in the following conference series:

Abstract

Modern foundational electronic IDentity (eID) systems commonly rely on biometric authentication so as to reduce both their deployment costs and the need for cryptographically capable end-user devices (e.g., smartcards, smartphones). However, this exposes the users to significant security and privacy risks. We introduce SIMple ID which uses existing infrastructure, Subscriber Identity Module (SIM) cards and basic feature phones, to realise modern authentication protocols without the use of biometrics. Towards this goal, we extend the international standard for displaying images stored in SIM cards and show how this can be used to generate QR codes on even basic no-frills devices. Then, we introduce a suite of lightweight eID authentication protocols designed for on-SIM execution. Finally, we discuss SIMple ID’s security, benchmark its performance and explain how it can enhance the security and privacy offered by widespread foundational eID platforms such as India’s Aadhaar.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/alan-turing-institute/simple-id.

References

  1. Japan Patent JP4258794A. Two-dimensional code having rectangular region provided with specific patterns to specify cell positions and distinction from background. DENSO Wave Corporation (1994)

    Google Scholar 

  2. GlobalPlatform Card Specification. Version 2.2.1, GlobalPlatform Inc. (2011)

    Google Scholar 

  3. Norwegian Mobile Bank ID: Reaching Scale through Collaboration, GSM (2014)

    Google Scholar 

  4. Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency (AUA)/E-KYC User Agency (KUA), Authentication Service Agency (ASA) and biometric device provider) (2018). https://uidai.gov.in/images/resource/compendium_auth_19042018.pdf

  5. Understanding Cost Drivers of Identification Systems (2018). https://openknowledge.worldbank.org/bitstream/handle/10986/31065/Understanding-Cost-Drivers-of-Identification-Systems.pdf

  6. Aadhaar enrollment/correction/update form, Online. Government of India (2020). https://uidai.gov.in/images/aadhaar_enrolment_correction_form_version_2.1.pdf

  7. Commercial National Security Algorithm (CNSA) Suite. MFS U/00/814670-15, National Security Agency (2021)

    Google Scholar 

  8. ID systems analysed: Aadhaar. Online, Privacy International (2021). https://privacyinternational.org/case-study/4698/id-systems-analysed-aadhaar

  9. Regulation (EU) 2021/953. Official Journal of the European Union L211/1 (2021)

    Google Scholar 

  10. Security analysis of the KaiOS feature phone platform for DFS applications. Online, Financial Inclusion Global Initiative, Security Infrastructure and Trust Working Group (2021). https://figi.itu.int/wp-content/uploads/2021/04/Security-analysis-of-the-KaiOS-feature-phone-platform-for-DFS-applications-1.pdf

  11. Aadhaar Dashboard. Online, Unique Identification Authority of India (2022a). https://uidai.gov.in/aadhaar_dashboard/index.php

  12. About MOSIP, Modular Open Source Identity Platform. Online, Modular Open Source Identity Platform (2022). https://mosip.io/mosip/uploads/files/ABOUT%20MOSIP.pdf

  13. Amazon.in Bestsellers: The most popular items in Basic Mobiles. Online, Amazon.in (2022). https://www.amazon.in/gp/bestsellers/electronics/1805559031

  14. Daily Authentication Transaction Trend, Aadhaar Dashboard (2022). https://uidai.gov.in/aadhaar_dashboard/auth_trend.php?auth_id=dailytrend. Note: 71,477,653,961 Total Authentication Transactions, 53,639,637,282 fingerprint-based

  15. M-Pesa – Africa’s leading fintech platform – marks 15 years of transforming lives. Online, Vodaphone Group (2022). https://www.vodafone.com/news/inclusion/mpesa-marks-15-years

  16. MOSIP ID Object Definition. Online, Modular Open Source Identity Platform (2022). https://docs.mosip.io/1.1.5/modules/registration-processor/mosip-id-object-definition

  17. Population, total - Sub-Saharan Africa. Online, World Bank (2022). https://data.worldbank.org/indicator/SP.POP.TOTL?locations=ZG. Note: 1.14 billion indicated population of Sub-Saharan Africa

  18. The Mobile Economy 2022. Online, GSM Association (2022). https://www.gsma.com/mobileeconomy/wp-content/uploads/2022/02/280222-The-Mobile-Economy-2022.pdf

  19. Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12

    Chapter  Google Scholar 

  20. Agrawal, S., Banerjee, S., Sharma, S.: Privacy and security of Aadhaar: a computer science perspective. Econ. Polit. Wkly. 52(37), 93–102 (2017)

    Google Scholar 

  21. Kleinjung, T., et al.: Factorization of a 768-Bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_18

    Chapter  Google Scholar 

  22. Assisi, C., Ramnath, N.: The Aadhaar Effect: Why the World’s Largest Identity Project Matters. Oxford University Press, Oxford (2018)

    Google Scholar 

  23. Baqer, K., Anderson, R., Mutegi, L., Payne, J.A., Sevilla, J.: DigiTally: piloting offline payments for phones. In: Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association (2017)

    Google Scholar 

  24. Baqer, K., Bezuidenhoudt, J., Anderson, R., Kuhn, M.: SMAPs: short message authentication protocols. In: Anderson, J., Matyáš, V., Christianson, B., Stajano, F. (eds.) Security Protocols 2016. LNCS, vol. 10368, pp. 119–132. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62033-6_15

    Chapter  Google Scholar 

  25. Barker, E.: Recommendation for Key Management: Part 1 - General. NIST Special Publication 800–57 Part 1 Revision 5 (2020)

    Google Scholar 

  26. Birch, D.: Identity is the New Money. London Publishing Partnership (2014)

    Google Scholar 

  27. Camner, G., Pulver, C., Sjöblom, E.: What Makes a Successful Mobile Money Implementation? Learnings from M-PESA in Kenya and Tanzania. GSM (2013)

    Google Scholar 

  28. M’Raihi, D., et al.: HOTP: An HMAC-Based One-Time Password Algorithm. RFC 4226, The Internet Society (2005)

    Google Scholar 

  29. Delaporte, A., Bahia, K.: The State of Mobile Internet Connectivity 2021. Technical report. GSM Association (2021)

    Google Scholar 

  30. Edsbäcker, P.: SIM cards for cellular networks. An introduction to SIM card application development. B.Sc. thesis, Mid Sweden University (2012)

    Google Scholar 

  31. ETSI TR 102 203: Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements. V1.1.1 (2003)

    Google Scholar 

  32. ETSI TS 101 476: Digital cellular telecommunications system (Phase 2+); GSM API for SIM toolkit stage 2 (3GPP TS 03.19 version 8.5.0 Release 1999) (2002)

    Google Scholar 

  33. ETSI TS 102 221: Smart Cards; UICC-Terminal interface; Physical and logical characteristics (Release 17). V17.1.0 (2022)

    Google Scholar 

  34. ETSI TS 102 223: Smart Cards; Card Application Toolkit (CAT). V15.3.0 (2019)

    Google Scholar 

  35. ETSI TS 102 226: Smart Cards; Remote APDU structure for UICC based applications (Release 16). V16.0.1, European Telecommunications Standards Institute (2020)

    Google Scholar 

  36. ETSI TS 102 384: Smart Cards; UICC-Terminal interface; Card Application Toolkit (CAT) conformance specification (Release 11). V11.0.0 (2022)

    Google Scholar 

  37. ETSI TS 131 102: Characteristics of the Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102 version 17.5.0 Release 17) (2022)

    Google Scholar 

  38. ETSI TS 131 130: (U)SIM Application Programming Interface (API); (U)SIM API for Java\(^{TM}\) Card (3GPP TS 31.130 version 17.0.0 Release 17) (2022)

    Google Scholar 

  39. ETSI TS 151 011: Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface (3GPP TS 51.011 version 4.15.0 Release 4) (2005)

    Google Scholar 

  40. Ford, B.: Identity and personhood in digital democracy: evaluating inclusion, equality, security, and privacy in pseudonym parties and other proofs of personhood. arXiv (2020). https://arxiv.org/abs/2011.02412

  41. Gayoso Martínez, V., Hernández Encinas, L., Sánchez Ávila, C.: Java card implementation of the elliptic curve integrated encryption scheme using prime and binary finite fields. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 160–167. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21323-6_20

    Chapter  Google Scholar 

  42. Gelb, A., Metz, A.: Identification Revolution: Can Digital ID be Harnessed for Development? Brookings Institution Press, Washington (2018)

    Google Scholar 

  43. George, N.A., McKay, F.H.: The public distribution system and food security in India. Int. J. Environ. Res. Public Health 16(17), 3221 (2019)

    Article  Google Scholar 

  44. Verzelettiet, G.M., et al.: A national mobile identity management strategy for electronic government services. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing And Communications (2018)

    Google Scholar 

  45. Goldreich, O.: Foundations of Cryptography, vol. 2. Cambridge University Press, Cambridge (2004)

    Google Scholar 

  46. GS1 General Specifications: The foundational GS1 standard that defines how identification keys, data attributes and barcodes must be used in business applications. Release 22.0, GS1 (2022)

    Google Scholar 

  47. GSM 11.11: Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment interface;. V5.3.0 (1996)

    Google Scholar 

  48. Gupta, B., Quamara, M.: A taxonomy of various attacks on smart card-based applications and countermeasures. Concurr. Comput.: Pract. Experience 33(7), 1 (2021)

    Article  Google Scholar 

  49. Handschuh, H., Paillier, P.: Smart card crypto-coprocessors for public-key cryptography. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 372–379. Springer, Heidelberg (2000). https://doi.org/10.1007/10721064_35

    Chapter  Google Scholar 

  50. Hassinen, M., Hypponen, K.: Strong mobile authentication. In: 2005 2nd International Symposium on Wireless Communication Systems (2005)

    Google Scholar 

  51. Hughes, N., Lonie, S.: M-PESA: mobile money for the “Unbanked” turning cellphones into 24-hour tellers in Kenya. Technology, Governance, Globalization, Innovations (2007)

    Google Scholar 

  52. ISO/IEC 18004:2015: Information technology - Automatic identification and data capture techniques - QR Code bar code symbology specification (2015)

    Google Scholar 

  53. ISO/IEC 7816–4:2020: Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange (2020)

    Google Scholar 

  54. Ivatury, G., Mas, I.: The Early Experience with Branchless Banking. Focus Note No. 46, CGAP (2008)

    Google Scholar 

  55. James, J.: The smart feature phone revolution in developing countries: bringing the internet to the bottom of the pyramid. Inf. Soc. 36(4), 226–235 (2020)

    Article  Google Scholar 

  56. Java Card Platform: Runtime Environment Specification. Version 2.2.1 (2003)

    Google Scholar 

  57. Kaliski, B., Staddon, J.: PKCS #1: RSA Cryptography Specifications Version 2.0. RFC 2437, The Internet Society (1998)

    Google Scholar 

  58. Khera, R.: Impact of Aadhaar in welfare programmes. Econ. Polit. Wkly. 52(50), 61–70 (2017)

    Google Scholar 

  59. Konoth, R.K., Fischer, B., Fokkink, W., Athanasopoulos, E., Razavi, K., Bos, H.: SecurePay: strengthening two-factor authentication for arbitrary transactions. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P) (2020)

    Google Scholar 

  60. Krimpe, J.: Mobile ID: crucial element of m-government. In: Proceedings of the 2014 Conference on Electronic Governance and Open Society: Challenges in Eurasia. Association for Computing Machinery (2014)

    Google Scholar 

  61. Kubach, M., Leitold, H., Roßnagel, H., Schunck, C.H., Talamo, M.: SSEDIC.2020 on Mobile eID. In: Open Identity Summit 2015 (2015)

    Google Scholar 

  62. Laud, P., Roos, M.: Formal analysis of the Estonian mobile-ID protocol. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 271–286. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04766-4_19

    Chapter  Google Scholar 

  63. Manoil, V., Turcanu, I.: Moldova Mobile ID Case Study. World Bank (2018)

    Google Scholar 

  64. Martin, A.K.: Aadhaar in a box? Legitimizing digital identity in times of crisis. Surveill. Soc. 19(1), 104–108 (2021)

    Article  MathSciNet  Google Scholar 

  65. Martínez, V.G., Álvarez, F.H., Encinas, L.H., Ávila, C.S.: A comparison of the standardized versions of ECIES (2010)

    Google Scholar 

  66. Mavroudis, V., Svenda, P.: JCMathLib: wrapper cryptographic library for transparent and certifiable JavaCard applets. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P) Workshops (2020)

    Google Scholar 

  67. MOSIP Docs 1.2.0: ID Authentication Services, Modular Open Source Identity Platform (2022). https://docs.mosip.io/1.2.0/modules/id-authentication-services

  68. Murphy, A.: Swisscom Mobile ID: Enabling an Ecosystem for Secure Mobile Authentication. GSM Association (2018)

    Google Scholar 

  69. Naumann, I., Hogben, G.: Privacy features of European eID card specifications. Netw. Secur. 2008(8), 9–13 (2008)

    Article  Google Scholar 

  70. Parsovs, A.: Estonian electronic identity card: security flaws in key management. In: Proceedings of the 29th USENIX Conference on Security Symposium (2020)

    Google Scholar 

  71. Qin, K., Zhou, L., Livshits, B., Gervais, A.: India’s “Aadhaar” biometric ID: structure, security, and vulnerabilities. In: Financial Cryptography and Data Security - 26th International Conference (2022)

    Google Scholar 

  72. Rajput, A., Gopinath, K.: Analysis of newer Aadhaar privacy models. In: Ganapathy, V., Jaeger, T., Shyamasundar, R.K. (eds.) ICISS 2018. LNCS, vol. 11281, pp. 386–404. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05171-6_20

    Chapter  Google Scholar 

  73. Reaves, B., Scaife, N., Bates, A., Traynor, P., Butler, K.R.B.: Mo(bile) money, Mo(bile) problems: analysis of branchless banking applications in the developing world. In: 24th USENIX Security Symposium (2015)

    Google Scholar 

  74. Reid, J., Looi, M.: Making sense of smart card security certifications. In: Domingo-Ferrer, J., Chan, D., Watson, A. (eds.) Smart Card Research and Advanced Applications. ITIFIP, vol. 52, pp. 225–240. Springer, Boston, MA (2000). https://doi.org/10.1007/978-0-387-35528-3_13

    Chapter  Google Scholar 

  75. Salem, A.M., Elhingary, E.A., Zerek, A.R.: Value added service for mobile communications. In: 4th International Conference on Power Engineering, Energy and Electrical Drives (2013)

    Google Scholar 

  76. Trichina, E., Hyppönen, K., Hassinen, M.: SIM-enabled open mobile payment system based on nation-wide PKI. In: ISSE/SECURE 2007 Securing Electronic Business Processes, pp. 355–366. Vieweg (2007). https://doi.org/10.1007/978-3-8348-9418-2_38

  77. Vashistha, A., Anderson, R., Mare, S.: Examining security and privacy research in developing regions. In: Proceedings of the 1st ACM SIGCAS Conference on Computing and Sustainable Societies. COMPASS ’18 (2018)

    Google Scholar 

  78. Švenda, P.: Nuances of the JavaCard API on the cryptographic smart cards - JCAlgTest project. In: 7th International Workshop on Analysis of Security API (2014)

    Google Scholar 

  79. Wong, C.W.T., Tsui, T.C.: Automated payment over the counter - a study of Alipay, WeChat Wallet and Octopus currently used in Mainland China and Hong Kong. In: The Future of the Commercial Contract in Scholarship and Law Reform Fourth Annual Conference, Institute of Advanced Legal Studies (2019)

    Google Scholar 

  80. Zefferer, T., Teufl, P.: Leveraging the adoption of mobile eID and e-signature solutions in Europe. In: Kő, A., Francesconi, E. (eds.) EGOVIS 2015. LNCS, vol. 9265, pp. 86–100. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22389-6_7

    Chapter  Google Scholar 

Download references

Acknowledgments

This work was supported, in whole or in part, by the Bill & Melinda Gates Foundation [INV-001309]. Under the grant conditions of the Foundation, a Creative Commons Attribution 4.0 Generic License has already been assigned to the Author Accepted Manuscript version that might arise from this submission. Taisys Technologies Co. Ltd kindly donated 6 SIMoME overlay UICCs and provided technical support.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Chris Hicks or Vasilios Mavroudis .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hicks, C., Mavroudis, V., Crowcroft, J. (2023). SIMple ID: QR Codes for Authentication Using Basic Mobile Phones in Developing Countries. In: Lenzini, G., Meng, W. (eds) Security and Trust Management. STM 2022. Lecture Notes in Computer Science, vol 13867. Springer, Cham. https://doi.org/10.1007/978-3-031-29504-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-29504-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-29503-4

  • Online ISBN: 978-3-031-29504-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics