AKMA Temporary UE IDentifier

Description

The AKMA Temporary UE IDentifier (A-TID) is a core component of the 5G Authentication and Key Management for Applications (AKMA) framework, standardized in 3GPP Release 16 and beyond. It serves as a temporary, network-assigned pseudonym that uniquely identifies a User Equipment (UE) within the context of AKMA services. The A-TID is generated by the AKMA Anchor Function (AAnF) in the home network following a successful primary authentication procedure between the UE and the 5G Core Network (5GC). This generation typically occurs during the initial AKMA registration phase, where the UE and AAnF establish a shared AKMA context, including the A-TID and associated keying material derived from the primary authentication keys.

Architecturally, the A-TID functions as a reference key within the AKMA ecosystem. It is provided by the UE to an Application Function (AF) when the UE wishes to access an AKMA-secured application service. The AF, which resides outside the 3GPP trust domain (e.g., in a third-party service provider network), uses this A-TID to query the appropriate AAnF via the Network Exposure Function (NEF) using the N33 reference point. The A-TID does not contain the UE's permanent subscription identifier (SUPI), thereby preserving user privacy. Instead, it is a cryptographically generated or assigned string that the AAnF can map back to the specific AKMA context and keying material it shares with that UE.

The technical operation involves several key steps. First, after primary authentication, the UE and AAnF derive the AKMA Anchor Key (K_AKMA). The AAnF then generates or assigns the A-TID for that UE and stores the binding between the A-TID, the UE's subscription identifier (internal mapping), and the K_AKMA. When the UE contacts an AF, it includes the A-TID in its service request. The AF, needing to authenticate the UE and establish secure application session keys, sends an AKMA application key request to the NEF, including the received A-TID. The NEF forwards this request to the correct AAnF. The AAnF validates the A-TID, retrieves the corresponding K_AKMA and UE context, and generates application-specific keys (K_AF) which are securely delivered back to the AF. This entire process allows the AF and UE to establish a secure channel without the AF ever knowing the UE's permanent identity.

The role of the A-TID in the network is multifaceted. Primarily, it acts as a privacy-preserving handle that enables application-layer security bootstrapping from 3GPP network credentials. It decouples the application function's need for authentication from the core network's detailed subscriber database. Furthermore, by being temporary and specific to the AKMA service, it limits traceability and correlation of user activities across different application services. The A-TID's format and structure are defined within the relevant 3GPP specifications to ensure interoperability between UEs, AAnFs, and AFs across different vendor implementations and network deployments.

Purpose & Motivation

The A-TID was created to address the growing need for secure, seamless authentication for over-the-top (OTT) and third-party application services in 5G networks. Prior to AKMA, applications either had to implement their own, often weaker, authentication mechanisms (like passwords) or rely on complex gateway solutions. This created security gaps, poor user experience with multiple logins, and limited the ability for operators to leverage their robust network authentication as a service. The A-TID provides the crucial link that allows an application, which is untrusted by the core network, to trigger a key delivery process based on the network's strong authentication, without ever learning the user's private identity.

Historically, earlier cellular generations lacked a standardized mechanism for applications to leverage network-level authentication. The creation of AKMA and the A-TID in Release 16 was motivated by the 5G vision of network exposure and service-based architecture. It solves the problem of how to extend the trust established during the UE's initial network access (using SIM-based authentication) to a vast ecosystem of external application providers. The A-TID specifically addresses the privacy and security limitations of simply passing a permanent identifier like the SUPI to an external entity. It acts as an opaque token, valid only within the AKMA framework, which prevents tracking and profiling of users by application providers across different services or sessions.

Furthermore, the A-TID enables new business models for mobile operators, allowing them to offer authentication-as-a-service to enterprise and vertical partners. By providing a standardized, secure identifier like the A-TID, 3GPP created a foundational element that supports secure IoT service access, enterprise application single sign-on, and other scenarios where device-to-application security is paramount. It effectively bridges the gap between the closed, trusted 3GPP core network domain and the open, untrusted domain of internet applications.

Key Features

• Privacy preservation by avoiding exposure of the UE's permanent SUPI to Application Functions
• Acts as a unique reference key for the AAnF to retrieve the correct AKMA context and keying material
• Enables application functions to request authentication and key derivation from the 5G core network
• Temporary and specific to the AKMA service, limiting long-term user traceability
• Standardized format ensuring interoperability between UE, AAnF, and AF across multi-vendor networks
• Central to the bootstrapping of application-level security (K_AF keys) from 3GPP credentials

Evolution Across Releases

Defining Specifications