A-TID

AKMA Temporary UE IDentifier

Identifier →
Introduced in Rel-16

A-TID is a temporary identifier assigned to a UE for AKMA services, enabling application functions to securely request authentication and keying material without exposing the UE's permanent identity.

Category
Identifier
Introduced
Rel-16
Where
Core Network › 5G Core
Specifications
3 specs
A-TID Description Purpose Related Classification Detected Changes Specifications

Description

The AKMA Temporary UE IDentifier (A-TID) is a core component of the 5G Authentication and Key Management for Applications (AKMA) framework, standardized in 3GPP Release 16 and beyond. It serves as a temporary, network-assigned pseudonym that uniquely identifies a User Equipment (UE) within the context of AKMA services. The A-TID is generated by the AKMA Anchor Function (AAnF) in the home network following a successful primary authentication procedure between the UE and the 5G Core Network (5GC). This generation typically occurs during the initial AKMA registration phase, where the UE and AAnF establish a shared AKMA context, including the A-TID and associated keying material derived from the primary authentication keys.

Architecturally, the A-TID functions as a reference key within the AKMA ecosystem. It is provided by the UE to an Application Function (AF) when the UE wishes to access an AKMA-secured application service. The AF, which resides outside the 3GPP trust domain (e.g., in a third-party service provider network), uses this A-TID to query the appropriate AAnF via the Network Exposure Function (NEF) using the N33 reference point. The A-TID does not contain the UE's permanent subscription identifier (SUPI), thereby preserving user privacy. Instead, it is a cryptographically generated or assigned string that the AAnF can map back to the specific AKMA context and keying material it shares with that UE.

The technical operation involves several key steps. First, after primary authentication, the UE and AAnF derive the AKMA Anchor Key (K_AKMA). The AAnF then generates or assigns the A-TID for that UE and stores the binding between the A-TID, the UE's subscription identifier (internal mapping), and the K_AKMA. When the UE contacts an AF, it includes the A-TID in its service request. The AF, needing to authenticate the UE and establish secure application session keys, sends an AKMA application key request to the NEF, including the received A-TID. The NEF forwards this request to the correct AAnF. The AAnF validates the A-TID, retrieves the corresponding K_AKMA and UE context, and generates application-specific keys (K_AF) which are securely delivered back to the AF. This entire process allows the AF and UE to establish a secure channel without the AF ever knowing the UE's permanent identity.

The role of the A-TID in the network is multifaceted. Primarily, it acts as a privacy-preserving handle that enables application-layer security bootstrapping from 3GPP network credentials. It decouples the application function's need for authentication from the core network's detailed subscriber database. Furthermore, by being temporary and specific to the AKMA service, it limits traceability and correlation of user activities across different application services. The A-TID's format and structure are defined within the relevant 3GPP specifications to ensure interoperability between UEs, AAnFs, and AFs across different vendor implementations and network deployments.

Purpose & Motivation

The A-TID was created to address the growing need for secure, seamless authentication for over-the-top (OTT) and third-party application services in 5G networks. Prior to AKMA, applications either had to implement their own, often weaker, authentication mechanisms (like passwords) or rely on complex gateway solutions. This created security gaps, poor user experience with multiple logins, and limited the ability for operators to leverage their robust network authentication as a service. The A-TID provides the crucial link that allows an application, which is untrusted by the core network, to trigger a key delivery process based on the network's strong authentication, without ever learning the user's private identity.

Historically, earlier cellular generations lacked a standardized mechanism for applications to leverage network-level authentication. The creation of AKMA and the A-TID in Release 16 was motivated by the 5G vision of network exposure and service-based architecture. It solves the problem of how to extend the trust established during the UE's initial network access (using SIM-based authentication) to a vast ecosystem of external application providers. The A-TID specifically addresses the privacy and security limitations of simply passing a permanent identifier like the SUPI to an external entity. It acts as an opaque token, valid only within the AKMA framework, which prevents tracking and profiling of users by application providers across different services or sessions.

Furthermore, the A-TID enables new business models for mobile operators, allowing them to offer authentication-as-a-service to enterprise and vertical partners. By providing a standardized, secure identifier like the A-TID, 3GPP created a foundational element that supports secure IoT service access, enterprise application single sign-on, and other scenarios where device-to-application security is paramount. It effectively bridges the gap between the closed, trusted 3GPP core network domain and the open, untrusted domain of internet applications.

Classification

Part ofAKMA
Related approachesSUPI

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (79 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 7 changes

In Release 15, the AKMA Temporary UE IDentifier (A-TID) was introduced as a new temporary identifier derived from the valid K~AUSF~ key. The UE supporting AKMA derives this A-TID and the AKMA Anchor Key (K~AKMA~) upon request from upper layers, and subsequently derives the AKMA Key Identifier (A-KID) from the A-TID. This enables the UE to securely provide authentication and key management for applications based on 3GPP credentials.

  • Remove the remaining instance of SUPI paging TS 24.501CR0055
  • Clarification on the temporary identity in the service request procedure TS 24.501CR0352
  • Correction to SUPI definition due to NAI format TS 24.501CR0628
  • UE identifier provided during an initial registration procedure TS 24.501CR0679
  • Limited service and no SUPI states in 5GMM instance for non-3GPP accesst TS 24.501CR0693
  • Removal of Editor's note on home network public key and home network public key identifier update and removal of protection scheme identifier TS 24.501CR0845

+ 1 more changes

Rel-16 12 changes

In Release 16, the A-TID function was enhanced with clarifications and corrections to the AKMA procedures, including the specification of the SUPI value for key derivations. Furthermore, the release introduced support for re-authentication within the AKMA process and provided an explicit AKMA context description. These updates also included corrections to AKMA key lifetimes and clarifications on error response handling during AKMA operations.

  • Correction of certain erroneous Information Element Identifiers TS 24.501CR2033
  • Packet filter identifier setting when requesting new packet filters TS 24.501CR2536
  • Clarifications on error response handling in AKMA process TS 33.535CR0009
  • Re-authentication in AKMA TS 33.535CR0013
  • Adding AKMA context description TS 33.535CR0020
  • Corrections to AKMA key lifetimes TS 33.535CR0024

+ 6 more changes

Rel-17 30 changes

In Release 17, the specification for the AKMA Temporary UE Identifier (A-TID) was enhanced to clarify the UE's derivation process, particularly in scenarios where a valid KAUSF is not immediately available. It specified that the UE shall derive the A-TID and subsequently the A-KID from a valid KAUSF only after the completion of an ongoing primary authentication procedure if one is in progress. Furthermore, the UE's handling was detailed for cases where the KAUSF changes or becomes invalid, ensuring the A-TID remains properly anchored to the current authentication context.

  • The impact on UE due to the introduction of Authentication and Key Management for Applications (AKMA) TS 24.501CR2794
  • AAnF checks AKMA service for UE and AF in clause 6.3 TS 33.535CR0055
  • Profiling the GBA TLS protocols for use with AKMA TS 33.535CR0066
  • Adding TLS 1.3 with AKMA keys TS 33.535CR0099
  • New AAnF application key get service without SUPI TS 33.535CR0121
  • Avoid including both PAP/CHAP and EAP identifiers in PDU session establishment request TS 24.501CR2941

+ 24 more changes

Rel-18 22 changes

In Release 18, the AKMA function was enhanced with the introduction of new AKMA Ua protocols based on DTLS and IETF OSCORE, as detailed in TS 33.535. Additionally, the release introduced AKMA roaming policy control in the AAnF and expanded AKMA service operation procedures, including updates for service disabling notifications via the NEF and corrections to related UDM services.

  • Protecting the N3IWF/TNGF identifier information in the REGISTRATION REJECT message TS 24.501CR5932
  • AKMA phase 2 security enhancement TS 33.535CR0154
  • Add AKMA Ua protocol based on DTLS to TS 33.535 TS 33.535CR0164
  • IETF OSCORE as AKMA Ua protocol TS 33.535CR0175
  • AKMA roaming policy control in AAnF TS 33.535CR0207
  • Correction for N3IWF identifier IE TS 24.501CR5120

+ 16 more changes

Rel-19 8 changes

In Release 19, the A-TID function itself was not updated; instead, the release introduced new procedures and enhancements for QoS differentiation of non-3GPP device identifiers. These changes included the support for multiple identifiers, the ability to suspend QoS differentiation per identifier, and procedural updates and corrections for handling this connection information.

  • Support of reject QoS differentiation for non-3GPP device identifier(s) TS 24.501CR6926
  • Procedure update for QoS differentiation of non-3GPP device identifiers TS 24.501CR6994
  • Suspending QoS differentiation for non-3GPP device identifier TS 24.501CR7087
  • Correction to the inconsistent LCS correlation identifier TS 24.501CR6380
  • Support of multiple Non-3GPP device identifiers for QoS differentiation TS 24.501CR6925
  • QoS differentiation for non-3GPP device identifiers clean up TS 24.501CR6993

+ 2 more changes

Explore further

Broader topics and technologies where A-TID plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityPrivacy (SUPI, SUCI)MEC (Edge Computing)Lawful InterceptSMS & Messaging
Technologies
5G

Defining Specifications

3GPP specifications that define or reference A-TID, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 29.522 vj40 5G NEF Northbound APIs Stage 3 Rel-19
TS 33.535 vj00 5G AKMA: Authentication and Key Management for Apps Rel-19