Most of the internet runs on usernames/passwords. I understand that a hardware token (with a PIN) is more secure. But is it worth the added complexity?
The SIM protects the carrier against "account sharing". It allows them to be sure that a subscriber is only using one phone at once - although it's portable between phones.
It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.
(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.
Account sharing in a telco context is a bad thing all around. Which phone would you like to ring? How do you ensure the charges really are made by (and to) the right person? How will you protect against messages with important information landing with the wrong party?
Authentication in a telco context is a good thing, the fact that the web doesn't have it enabled a large number of applications to flourish, it also made some other things devilishly hard, or even almost impossible.
Carriers do maintain sessions centrally though. These are the HLR and VLR - home location register and visitor location register. This is how "hand offs" between towers work. Handsets don't authenticate to the base station, the base station proxies those back to the MSC, mobile switching center and are looked up in the EIR - Equipment Identity Register.
Its helpful to understand the history of mobile/wireless I think since the Telecom industry takes acronyms to an insane level. The terminology changes slightly depending on which generation of mobile is being discussed. This is a good breakdown of the evolution of mobile networks. I think its a good starting point:
I'd very much argue that a hardware token is more secure, and less complex, especially with multiple devices. It's a lot easier to remember where you put your smart card than to need to get a password store somewhere shareable, to secure that, to remember to put passwords in the store, etc.
It means that carriers don't have to maintain "sessions" centrally. The SIM can authenticate you to the base station without the base station having to check back to see if you're logged in elsewhere - vital in reducing the latency of cell changes.
(It also stores various bits of technical information for SMS/MMS routing, and was intended to be a platform for "value added" applications.