UIA

User Identity Authentication

Security →
Introduced in Rel-4 Also in: Services, Radio Access Network

UIA is the 3GPP security process that verifies a user's identity for network access by validating credentials through a challenge-response mechanism with the SIM/USIM and Authentication Centre.

Category
Security
Introduced
Rel-4
Where
Security
Also touches
2 segments
Specifications
9 specs
UIA Description Purpose Related Classification Detected Changes Specifications

Description

User Identity Authentication (UIA) is the core procedure defined by 3GPP to ensure that a user or device is who it claims to be before granting access to cellular network services. It is a primary function of the Authentication and Key Agreement (AKA) protocol. The architecture involves several key network functions: the User Equipment (UE) containing a SIM or USIM, the serving network (e.g., VLR/SGSN/MME/AMF), and the home network's Authentication Centre (AuC) and Home Subscriber Server (HSS). The process begins when the serving network requests authentication vectors from the HSS/AuC. The AuC generates these vectors using a secret key (K) unique to the subscriber's identity (IMSI) and a sequence number (SQN). Each vector contains a random challenge (RAND), an expected response (XRES), a cipher key (CK), an integrity key (IK), and an authentication token (AUTN). The serving network sends the RAND and AUTN to the UE. The USIM in the UE, possessing the same secret key (K), processes the AUTN to verify it originated from a legitimate network (authentication of the network to the user) and checks the SQN for freshness to prevent replay attacks. It then computes a response (RES) using the RAND and K. The UE sends RES back to the serving network, which compares it to the XRES. A match authenticates the user. Successful UIA also results in the derivation of the same CK and IK in both the UE and network, enabling subsequent ciphering and integrity protection of communications. This mutual authentication (network authenticates user, user authenticates network) is a critical security feature.

Purpose & Motivation

UIA exists to establish secure, trusted access to mobile network resources, solving the fundamental security problem of impersonation and unauthorized use. Before standardized authentication, early mobile systems had weak or no authentication, making them vulnerable to cloning and fraud. The motivation for developing robust UIA in GSM (and its evolution through 3G, 4G, and 5G) was to protect network operators from revenue loss due to fraud and to protect user privacy and service integrity. It addresses the limitations of simple password-based systems by using a shared secret stored in a tamper-resistant module (SIM) and cryptographic challenge-response mechanisms that never transmit the secret key over the air. The creation of the AKA protocol, with UIA at its heart, was driven by the need for a scalable, efficient authentication method suitable for millions of devices, capable of supporting roaming between different operator networks, and providing a foundation for generating session keys for confidentiality and integrity. Its continuous evolution across releases addresses emerging threats, enhances key lengths and algorithms, and adapts to new network architectures (e.g., EPS AKA in LTE, 5G AKA in 5G SA) while maintaining backward compatibility and global interoperability.

Classification

Part ofAKA
Related approachesAUCUSIMSUPI

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (69 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-4, normative work from Rel-15.

Rel-15 29 changes

In Release 15, the UIA function was enhanced with clarifications and corrections to several key procedures, including the initiation of authentication, the primary and secondary authentication procedures, and the support for additional EAP methods. The release also introduced specific error handling for Service-Based Architecture (SBA) authentication and authorization, and provided clarifications on authentication for token-based authorization and the use of unused 5G authentication vectors. Furthermore, corrections were made to the authentication framework, the 5G AKA procedure, and the handling of the SUPI format in KAMF computation.

  • Rules on concurrent running of authentication and NAS SMC procedure TS 33.501CR0004
  • Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
  • Corrections to secondary authentication procedure TS 33.501CR0064
  • Corrections related to authentication related services TS 33.501CR0080
  • Clarifications to: Initiation of authentication and selection of authentication method TS 33.501CR0084
  • Clarifications to: Authentication procedures TS 33.501CR0115

+ 23 more changes

Rel-16 16 changes

In Release 16, the UIA function was enhanced to support authentication and authorization between network functions and SeCoPs, as well as in indirect communication scenarios and for PNI-NPN. It also introduced network slice specific authentication and authorization, along with clarifications for secondary authentication revocation and the use of authentication methods.

  • Authentication and authorization between SeCoP and network functions TS 33.501CR0693
  • Authentication and authorization between SeCoPs TS 33.501CR0694
  • Authentication in indirect communication scenarios TS 33.501CR0808
  • SUCI computation: implementers' test data for network specific identifier-based SUPI TS 33.501CR0847
  • Network slice specific authentication and authorization clauses TS 33.501CR0853
  • Removing editor's note on capturing all the details for alternative authentication methods TS 33.501CR0684

+ 10 more changes

Rel-17 12 changes

In Release 17, the UIA function was enhanced with clarifications and new procedures, including authentication for UE behind 5G-RG/FN-RG, secondary authentication during UE onboarding, and authentication in the user plane for MBS. It also introduced specific authentication method selection for N5CW and clarified the support for authentication methods in an SNPN. Furthermore, the release provided corrections on network slice re-authentication by the AAA-S and the handling of the KAUSF key after successful primary authentication.

  • Change the procedure of network slice re-authentication and revocation by AAA-S TS 33.501CR1091
  • Removing Editor's note on SUPI sent to AAA TS 33.501CR1289
  • Removing Editor's note on Credentials Holder using AUSF and UDM for primary authentication TS 33.501CR1307
  • Usage of AN ID for NSWO authentication TS 33.501CR1317
  • Corrections and clarifications to secondary authentication during UE onboarding TS 33.501CR1388
  • Clarification on Authentication for UE behind 5G-RG and FN-RG TS 33.501CR1459

+ 6 more changes

Rel-18 11 changes

In Release 18, the UIA function was enhanced to introduce a new Home Network triggered primary authentication procedure and to support the authentication of User Equipment and AUN3 devices located behind a 5G-RG or FN-RG using Non-Seamless WLAN Offload (NSWO). The release also clarified the split between authentication and authorization functions and specified the reuse of an error code during the home network triggered authentication process.

  • Authentication for UE behind 5G-RG and FN-RG using NSWO TS 33.501CR1593
  • Authentication of AUN3 devices behind RG TS 33.501CR1614
  • Introducing Home Trigger primrary authentication procedure TS 33.501CR1670
  • Use of NF Instance ID in the mutual authentication between the NF Consumer and NRF TS 33.501CR1761
  • Resolution of editor notes related to selection of authentication method. TS 33.501CR1767
  • Home Network triggered Primary authentication clarifications TS 33.501CR1777

+ 5 more changes

Rel-19 1 change

In Release 19, the specific enhancement for the User Identity Authentication (UIA) function was a correction to the mutual authentication requirement between the USIM and the network. This requirement is fundamentally based on a challenge/response protocol using a shared secret key (K) to ensure both the network authenticates the USIM and the USIM authenticates the network. The update ensures the procedure unambiguously fulfills this core security requirement as defined in the specifications.

  • Correct mutual authentication requirement TS 33.501CR2163

Explore further

Broader topics and technologies where UIA plays a role.

Topics
SON (Self-Organizing Networks)OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegrityRoaming & Interconnect
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference UIA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 21.111 vj00 USIM and UICC Requirements for 3G Rel-19
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TS 23.060 vj00 GPRS Service Description Stage 2 Rel-19
TS 25.413 vj00 Radio Access Network Application Part (RANAP) Rel-19
TS 33.102 vj10 3G Security Architecture Specification Rel-19
TS 33.401 vj10 EPS Security Architecture Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.700 3GPP TR 33.700 Rel-4
TS 33.859 vb10 UTRAN Key Hierarchy Enhancement Study Rel-11