Glossary

Glossary

Access Control

A discrimination process of determining whether an actor X (e.g. a person, program or device) is allowed to have access to data, functionality or service Y.

Assertion

A statement by an actor towards a concerned party concerning the Identity of another actor. Usually this statement is made by an Identity Provider (IdP) towards a Service Provider regarding the validity of an ID Claim made by a User.

Attribute

A description of a characteristic of an identity. Examples include: hair colour, age, presence status, location. Note that an attribute may be uniquely identifying the identity in which case it is an identifier.
Also see: Identifier, Identity.

Authentication

Authentication is the overall process of establishing that the actor being authenticated is indeed the actor in whose name assertions are being made, with an implicit or explicit level of confidence and liability. The actor in question may be a human or any non-human system entity (client, server, application, etc). The authentication authority may perform authentication for the benefits of another that resides in another domain.

Authentication authority

An actor guaranteeing that an assertion is indeed correct, with an explicit or implicit level of confidence and liability.

Authentication Level

A hierarchical assignment of authentication methods reflecting increasing strengths to resist violations and attacks.

Authentication Mechanism

Functions that validates claimed identities and that output a status that is either true (verified) or false (rejected).
Also see: Mutual and Single sided.

Authority

A data structure that can be validated and that contains one or more identifiers and various contexts.

Biometric identification

The automatic identification of living individuals by using their physiological and behavioral characteristics

Certificate

A data structure that can be validated and that contains one or more identifiers and various contexts. It is an apparition of a credential.

Certificate Authority or Certifying Authority (CA)

A trusted third party entity that issues digital certificates. CAs are characteristic of many public key infrastructure (PKI) schemes: the digital certificate certifies the ownership of a public key and allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.

Circle of Trust

A federation of service providers and identity providers that have business relationships and operational agreements and within which actors can interact in an environment characterized by implicit or explicit level of security.

Credentials

Actor-specific information that is transferred stored and processed in order to authenticate an actor or authorize a transaction.
Credentials may be of three different types:
– “Something you know” (e.g. a password)
– “Something you have” (e.g. a bank card,)
– “Something you are” (e.g. an iris reading, a MAC address)

Data Retention

Retention of traffic data for forensic purposes.
In Europe regulated by the EU-Directive on Data Retention (2005) that mandates operators to retain traffic data logs (time, addresses etc.) from 6 to 24 months.

Digital Signature

A process using public key cryptography for demonstrating the authenticity of a digital message or document. Digital signatures are often used to implement electronic signatures (meaning any electronic data that carries the intent of a signature), but are more difficult to forge than the handwritten type. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid.

Domain

A business or governmental area characterized by one supreme administration authority and a set of rules (policy) that applies within its context and confinement.

End-User

A physical person operating through a client.

Entity authentication

When the identity information representations belonging or relating to the same actor, belonging to different IdP’s are linked or bind together (see also user authentication).

Extensible Authentication Protocol (EAP)

An authentication protocol which supports multiple authentication mechanisms. EAP typically runs directly over the link layer without requiring IP and therefore includes its own support for in-order delivery and retransmission.

Federated Identity

When the identity information representations belonging or relating to the same actor, belonging to different IdP’s are linked or bind together.

Identifier

An attribute that is unique within a defined scope. Examples are: MSISDN, email address, account number.
Also see: Attribute, Identity.

Identity

The collective aspect of the set of characteristics by which an actor is uniquely recognizable or known. The set of behavioural or personal characteristics by which an actor (e.g. individual or group) is recognizable.
An identity is described by its attributes, some of which may be identifiers.
Also see: Attribute, Identifier.

Identity Claim (ID claim)

A claim made by an actor stating its identity. Without validation, no assumptions can be made regarding the actor’s identity. An Identity Claim is usually made by a User towards a Service Provider.

Identity Federation

The process of setting up a cross-domain relationship and the act of requesting, passing and using user-related information across different administrative domains. In this context, federated identity standards define what amounts to an “abstraction layer” over the legacy identity and security environments of these diverse domains. Each domain maps its own local identity and security interfaces and formats to the agreed upon identity federation standards which are to be used externally, without the need to divulge sensitive subscriber data.

Identity Management (IDM)

A set of processes, technologies and services in order to manage principals’ identities (creation, maintenance and termination of principal accounts), secure access to the operator’s resources (data and services) and protect principals’ private data.

Identity Mapping

Mapping of identities between different IdP’s or between local subsystems.

Identity Provider (IdP)

A provider that manages identity information including providing that information to other actors, on behalf of users and also provides statement of authentication to other actors.

Identity Token

A credential used in a specific context.

IMEI

International Mobile Equipment Identity: a globally unique identifier (hard-coded in the handset).

Implicit Authentication

A result when two or more communicators share the same crypto key-pairs and decryption works OK.

Implicit Authorization

The result of authentication alone if non-discrimination for different allowances is executed among defined users or processes.

IMSI

International Mobile Subscriber Identity: the basic structured identifier for the SIM/UICC in GSM mobile systems.

MSISDN

Mobile Subscriber ISDN Number: a structured Identifier for the subscriber indicating his A-Number.

Mobile Signature

A digital signature generated either on a mobile phone or on a SIM card.

Multi-tiered authentication

The actor is initially authenticated by an identity provider. The actor is then to be re-authenticated due to a requirement for another form of authentication, and as a result of a policy decision. Ultimately, the actor must present another assertion of identity, such as, a public-key certificate.

Mutual authentication

Mutual authentication implies that the authenticating actor authenticates itself with the actor being authenticated as well as vice versa.

One-Time-Password (OTP)

A password that is valid for only one login session or transaction, thus reducing the risk of an unauthorized intruder gaining access to the account.  Usually used as a second-factor form of authentication. One-Time-Passwords can be generated (not exclusively) in the following forms:

  • IVR-OTP – Interactive Voice Response One-Time-Password: the user is authenticated through the use of voice and DTMF (dual-tone multi-frequency signalling), employed as a second-factor form of authentication.
  • SMS-OTP – a One-Time-Password generated over SMS
  • Handset generated OTP – a One-Time-Password generated within the handset
  • SIM-generated OTP – a One-Time-Password generated within the SIM card

Policy

A Set of rules that regulates authorizations as well as levels of authentication.

Qualified Certificate (QC)

An X.509 certificate issued to physical persons that fulfils the requirements given by ETSI and IETF standards.

RADIUS

Remote Authentication Dial In User Service: the most common AAA (authentication, authorisation and accounting) protocol for Internet accesses today.

Registration

The process of binding a person (entity, object or similar) to an identity.
Registration normally comprises of:
1. Enrolment.
2. Binding between a verifiable user ID and a system-assigned ID (policy dependent).
3. Provisioning (client and systems).

Registration Provider

A function that is responsible for the enrolment of physical users into the identity registry of the IDP, where the user is represented by one or more identifiers. The RP executes necessary controls to corroborate that the identifiers really represents the correct user, and for which the RP also may be liable.

Depending on policy and available technology, a registration may include physical appearance and authentication of the user by provisioning of legally approved and valid proof of identity means like passports, driver’s license with picture, biometrics, etc. RP function may also include the storage of copies of such proof for an applicable time.

Finally, it may include external verification controls against legally approved databases like social security registries.

The policy may depend on national and international law, system, and service (registration of a bank account owner differs from a Telco subscriber).

Comparable concepts are the formal LRA and RA in PKI systems, e.g., IETF RFC 2527, and also ETSI TS 101 456 for Qualified Certificates.

Second Factor Authentication

A security process in which the user provides two means of identification, one of which is typically a physical token such as a card or a mobile device (“something I have”), and the other of which is typically something memorized, such as a security code or password (“something I know”). A third factor, such as biometric forms of identification or location confirmation – can sometimes be added for further security (“something I am”).

Service Provider (SP)

Service Provider is a provider of services and/or goods, which may require an actor authentication and/or transfer of actor information for purposes of a particular transaction.

SIM

Subscriber Identity Module: an application on the UICC that stores and handles the Subscriber identities (IMSI) and also the authentication and session key derive functions for GSM (A3/A8)

SIM Toolkit (SAT or STK)

SIM Toolkit provides a set of commands which allow applications, existing in the UICC, to interact and operate with a mobile client which supports the specific command(s) required by the application. Using the SIM Toolkit, applications can be downloaded to the SIM in a secure manner.

Single Logout

Same as Single Sign-Off.

Single Sign-Off (aka Single Sign-Out)

When a user logs out, all sessions initiated by the single sign-on that might be open are terminated for that user, and closed.

Single Sign-On (SSO)

The process and the notion of an actor being authenticated once for later access to multiple resources and services across security domains

Single-Sided Authentication

Only one side in a communication session independently to authenticate each other.
Also see: Mutual Authentication.

Subscriber (also known as Subscriber or Bill Payer)

Role carried out by a company (usually represented by an administrator) or a person (or a group), which pays for the services offered by the operator. These services are used by the End Users linked to the Subscriber (i.e. ‘Subscriber: End User’ relationship is 1:N, where N=1, 2, …). A person (or a group) may play both roles, Subscriber and End User, but also only one of them.

UICC

The smart-card platform furnished for mobile applications together with its operations system. Popular: erroneously denoted as the ‘SIM’ or ‘SIM-card’ (SIM is an application on the UICC).

User Agent

Software that a “user” interacts with directly. A user agent typically implements a user interface.

User authentication

The process of authenticating a personal (physical) user. User Authentication may consist of one, or combinations of the following (independent) three elements: something the user know, has or is.

If only one factor is used, UA is denoted as “weak” (like PIN or password only); 2-factor UA is denoted “strong”.

User authentication methods

Commonly classified as being one-factor, two-factor, or three-factor, whereas the said factors are normally: “something you have”, i.e. a physical device (e.g. a smart card), “something you know” (e.g. a password), or “something you are” (e.g. a biometric factor, such as a fingerprint).
Also see: Credentials.

USIM

An application on the UICC that stores and handles the Subscriber identities (IMSI) and also the authentication and session key derive functions for UMTS (3G).

Validation

The process of determining whether an Identity claimed by an actor (see Identity Claim) is valid, possibly on behalf of a third party. The result of this process is an assertion towards the concerned party on whether or not the ID claimed by the actor is valid. Validation is usually requested by an SP towards an IDP when a User has made an ID claim.

Driving Mobile Connect Usage – Turkcell Looking to improve its customers’ experience and further differentiate its proposition, Turkcell launched Mobile Connect initially on its self-care mobile application and websi...

Read more | See all Identity Resources

Mobile Connect London Summit: Presentations Taking place on the 25th and 26th April, the Mobile Connect London Summit was a forum for leading figures in the wider mobile industry to debate the most pressing issues in the...

Read more | See all Identity Resources

The PSD2 Opportunity: Mobile Operators and Fintech This paper discusses the opportunities relating to the partnership between mobile network operators and fintech companies, and how both parties can benefit from each others&#...

Read more | See all Identity Resources

SK Telecom: Integrating Existing Identity Solutions into Mobile Connec In December 2016, SKT adapted both T-Auth and T-ID to comply with the Mobile Connect specifications. The goal was to make it easier for international customers to use SKT’s app...

Read more | See all Identity Resources

Seminar Presentations from Mobile World Congress 2017 Mobile World Congress 2017 hosted three industry seminars on Mobile Connect and the future of digital identity.  You can find out more about each of these subjects by downloadin...

Read more | See all Identity Resources

SIM Toolkit Device Requirements to Improve Mobile Connect Customer Exp This document presents the requirements for the device to improve the user experience of the Mobile Connect SIM applet authenticator. The ETSI (The European Telecommunications St...

Read more | See all Identity Resources

Markets Turn Their Focus to Cross-Border Trade of Digital Services Since the drafting of eIDAS in 2014, there has been a renewed interest from businesses, particularly in Europe, in secure cross-border trade using digital services. Initiatives s...

Read more | Visit Identity Blog

Mobile Connect-eIDAS Pilot Prepares for Secure Cross-Border Trade Marta Ienco, Head of the Government & Regulatory affairs, Personal Data   As we draw closer to the implementation of the eIDAS Regulation in September 2018, both governments...

Read more | Visit Identity Blog

Asia’s Mobile Industry Unites behind Mobile Connect Download presentations from the event Shanghai—A broad array of MNO’s across Asia have underscored their commitment to Mobile Connect after revealing how the identity solutio...

Read more | Visit Identity Blog

GSMA-FIDO Collaboration a Step Towards Secure Authentication The recent collaborative agreement between the GSMA and the FIDO Alliance, the ecosystem for standards-based, interoperable authentication, is a sign that the digital community i...

Read more | Visit Identity Blog

Exploring Asia’s Identity Offerings at Mobile World Congress Shangha Asia is experiencing a rapid transformation of its digital services. According to Mary Meeker’s 2017 Internet Trends Report, mobile has surpassed both desktop computers and TV...

Read more | Visit Identity Blog

Security Experts Warn of More Dangerous Attacks Gautam Hazari, Technical Director, Identity, GSMA We are in a race against time to develop defences capable of dealing with increasingly dangerous cyber threats, security experts...

Read more | Visit Identity Blog

Mobile World Congress Americas September 12, 2017 Mobile Connect will be present at the inaugural Mobile World Congress Americas event which will feature industry seminars and live demonstrations of the identity solution inside ...

Read more | See all Identity Events

MWCA: Delivering Global Mobile Identity Services September 13, 2017 Mobile Connect is the global mobile industry’s secure universal identity solution.  Now available to over 3 billion consumers worldwide, and with 52 operators deploying Mobile...

Read more | See all Identity Events

Mobile Connect Summit – Singapore November 21, 2017 Following April’s successful Mobile Connect Summit in London, we are pleased to confirm that we will soon be hosting another regional Summit – this time in Singapore...

Read more | See all Identity Events

Contact GSMA Legal Email Preference Centre Copyright © 2017 GSMA. GSM and the GSM Logo are registered and owned by the GSMA.