IEF

Identity Event Function

Security
Introduced in Rel-16
A network function introduced in 5G for secure, privacy-preserving identity verification services. It acts as a trusted intermediary between a Relying Party (e.g., an online service) and an Identity Provider, enabling user attribute verification without exposing the user's full identity. It is central to 3GPP's identity management framework.

Description

The Identity Event Function (IEF) is a core component of the 3GPP identity management and authentication framework, standardized from Release 16 onwards. It operates as a service within the 5G system architecture, specifically defined for facilitating secure and privacy-enhanced identity verification transactions. The IEF's primary role is to mediate between a Relying Party (RP)—an entity that requires verification of a user's attributes (like age or membership status)—and an Identity Provider (IdP), which holds the user's identity information. It does so by processing identity events, which are requests for verification of specific user attributes or credentials.

Architecturally, the IEF is defined as a network function with a service-based interface, typically the Nidf_IdentityEventManagement service. It interacts with the User Equipment (UE), the Relying Party, and the Identity Provider. The workflow begins when a Relying Party, needing to verify a user attribute, sends an Identity Event Request to the IEF. The IEF then communicates with the UE (via the user) to obtain consent and necessary credentials. It may also interact with the IdP to validate these credentials. Crucially, the IEF ensures minimal disclosure; it only confirms whether the user's attributes satisfy the RP's policy (e.g., "user is over 18") without revealing the actual attribute value or other personal data. This is achieved through token-based mechanisms and cryptographic protocols.

The IEF is a key enabler for 3GPP's vision of the mobile network as a trusted platform for digital identity. It leverages the inherent security of the 3GPP subscription (e.g., the SIM/USIM) and the network's authentication infrastructure. By providing a standardized, network-based function for identity verification, it allows service providers (RPs) to outsource complex identity checks to the operator's network in a compliant and interoperable manner. This is detailed in specifications 33.127 and 33.128, which cover the security framework and protocols for identity event management. The IEF supports various credential formats and can work with both 3GPP (e.g., 3GPP credential) and non-3GPP identity providers.

Purpose & Motivation

The IEF was created to address the growing need for secure, user-consent-driven, and privacy-preserving digital identity verification in online services. Prior to its introduction, identity verification often involved users directly sharing sensitive personal data (like scans of ID documents) with numerous online Relying Parties, creating significant privacy risks and data breach vulnerabilities. There was no standardized, network-level function to facilitate minimal disclosure of attributes. The motivation stemmed from regulations like GDPR, which emphasize data minimization and user consent, and from the industry need to combat fraud while improving user experience.

Historically, identity management was fragmented, with proprietary solutions or reliance on social login providers that could track user activity across services. The 3GPP IEF provides a carrier-grade, standardized alternative that leverages the mobile operator's trusted role and existing customer verification processes (Know Your Customer). It solves the problem of how to prove aspects of one's identity without revealing the entire identity, a concept known as verifiable credentials or selective disclosure. By creating a dedicated function within the 5G architecture, 3GPP enables mobile networks to offer identity-as-a-service, opening new revenue streams for operators while providing users with greater control and privacy.

Key Features

  • Mediates identity verification requests between Relying Parties and Identity Providers
  • Enables privacy through minimal disclosure (verifies predicates, not raw data)
  • Supports user consent capture and management for identity sharing
  • Utilizes 3GPP's secure authentication infrastructure and subscription credentials
  • Provides standardized Service-Based Interface (Nidf_IdentityEventManagement)
  • Handles various credential types and identity event formats

Evolution Across Releases

Rel-16 Initial

Introduced the Identity Event Function as a new network function within the 5G security architecture. Defined its service-based interface, basic procedures for identity event request/response, and its role in the identity management framework alongside the Identity Provider and Relying Party.

TS 33.127TS 33.128

Defining Specifications

SpecificationTitle
TS 33.127 3GPP TR 33.127
TS 33.128 3GPP TR 33.128