Access Control

A discrimination process of determining whether an actor X (e.g. a person, program or device) is allowed to have access to data, functionality or service Y.


A statement by an actor towards a concerned party concerning the Identity of another actor. Usually this statement is made by an Identity Provider (IdP) towards a Service Provider regarding the validity of an ID Claim made by a User.


A description of a characteristic of an identity. Examples include: hair colour, age, presence status, location. Note that an attribute may be uniquely identifying the identity in which case it is an identifier.
Also see: Identifier, Identity.


Authentication is the overall process of establishing that the actor being authenticated is indeed the actor in whose name assertions are being made, with an implicit or explicit level of confidence and liability. The actor in question may be a human or any non-human system entity (client, server, application, etc). The authentication authority may perform authentication for the benefits of another that resides in another domain.

Authentication authority

An actor guaranteeing that an assertion is indeed correct, with an explicit or implicit level of confidence and liability.

Authentication Level

A hierarchical assignment of authentication methods reflecting increasing strengths to resist violations and attacks.

Authentication Mechanism

Functions that validates claimed identities and that output a status that is either true (verified) or false (rejected).
Also see: Mutual and Single sided.


A data structure that can be validated and that contains one or more identifiers and various contexts.

Biometric identification

The automatic identification of living individuals by using their physiological and behavioral characteristics


A data structure that can be validated and that contains one or more identifiers and various contexts. It is an apparition of a credential.

Certificate Authority or Certifying Authority (CA)

A trusted third party entity that issues digital certificates. CAs are characteristic of many public key infrastructure (PKI) schemes: the digital certificate certifies the ownership of a public key and allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.

Circle of Trust

A federation of service providers and identity providers that have business relationships and operational agreements and within which actors can interact in an environment characterized by implicit or explicit level of security.


Actor-specific information that is transferred stored and processed in order to authenticate an actor or authorize a transaction.
Credentials may be of three different types:
– “Something you know” (e.g. a password)
– “Something you have” (e.g. a bank card,)
– “Something you are” (e.g. an iris reading, a MAC address)

Data Retention

Retention of traffic data for forensic purposes.
In Europe regulated by the EU-Directive on Data Retention (2005) that mandates operators to retain traffic data logs (time, addresses etc.) from 6 to 24 months.

Digital Signature

A process using public key cryptography for demonstrating the authenticity of a digital message or document. Digital signatures are often used to implement electronic signatures (meaning any electronic data that carries the intent of a signature), but are more difficult to forge than the handwritten type. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid.


A business or governmental area characterized by one supreme administration authority and a set of rules (policy) that applies within its context and confinement.


A physical person operating through a client.

Entity authentication

When the identity information representations belonging or relating to the same actor, belonging to different IdP’s are linked or bind together (see also user authentication).

Extensible Authentication Protocol (EAP)

An authentication protocol which supports multiple authentication mechanisms. EAP typically runs directly over the link layer without requiring IP and therefore includes its own support for in-order delivery and retransmission.

Federated Identity

When the identity information representations belonging or relating to the same actor, belonging to different IdP’s are linked or bind together.


An attribute that is unique within a defined scope. Examples are: MSISDN, email address, account number.
Also see: Attribute, Identity.


The collective aspect of the set of characteristics by which an actor is uniquely recognizable or known. The set of behavioural or personal characteristics by which an actor (e.g. individual or group) is recognizable.
An identity is described by its attributes, some of which may be identifiers.
Also see: Attribute, Identifier.

Identity Claim (ID claim)

A claim made by an actor stating its identity. Without validation, no assumptions can be made regarding the actor’s identity. An Identity Claim is usually made by a User towards a Service Provider.

Identity Federation

The process of setting up a cross-domain relationship and the act of requesting, passing and using user-related information across different administrative domains. In this context, federated identity standards define what amounts to an “abstraction layer” over the legacy identity and security environments of these diverse domains. Each domain maps its own local identity and security interfaces and formats to the agreed upon identity federation standards which are to be used externally, without the need to divulge sensitive subscriber data.

Identity Management (IDM)

A set of processes, technologies and services in order to manage principals’ identities (creation, maintenance and termination of principal accounts), secure access to the operator’s resources (data and services) and protect principals’ private data.

Identity Mapping

Mapping of identities between different IdP’s or between local subsystems.

Identity Provider (IdP)

A provider that manages identity information including providing that information to other actors, on behalf of users and also provides statement of authentication to other actors.

Identity Token

A credential used in a specific context.


International Mobile Equipment Identity: a globally unique identifier (hard-coded in the handset).

Implicit Authentication

A result when two or more communicators share the same crypto key-pairs and decryption works OK.

Implicit Authorization

The result of authentication alone if non-discrimination for different allowances is executed among defined users or processes.


International Mobile Subscriber Identity: the basic structured identifier for the SIM/UICC in GSM mobile systems.


Mobile Subscriber ISDN Number: a structured Identifier for the subscriber indicating his A-Number.

Mobile Signature

A digital signature generated either on a mobile phone or on a SIM card.

Multi-tiered authentication

The actor is initially authenticated by an identity provider. The actor is then to be re-authenticated due to a requirement for another form of authentication, and as a result of a policy decision. Ultimately, the actor must present another assertion of identity, such as, a public-key certificate.

Mutual authentication

Mutual authentication implies that the authenticating actor authenticates itself with the actor being authenticated as well as vice versa.

One-Time-Password (OTP)

A password that is valid for only one login session or transaction, thus reducing the risk of an unauthorized intruder gaining access to the account. Usually used as a second-factor form of authentication. One-Time-Passwords can be generated (not exclusively) in the following forms:

IVR-OTP – Interactive Voice Response One-Time-Password: the user is authenticated through the use of voice and DTMF (dual-tone multi-frequency signalling), employed as a second-factor form of authentication.
SMS-OTP – a One-Time-Password generated over SMS
Handset generated OTP – a One-Time-Password generated within the handset
SIM-generated OTP – a One-Time-Password generated within the SIM card


A Set of rules that regulates authorizations as well as levels of authentication.

Qualified Certificate (QC)

An X.509 certificate issued to physical persons that fulfils the requirements given by ETSI and IETF standards.


Remote Authentication Dial In User Service: the most common AAA (authentication, authorisation and accounting) protocol for Internet accesses today.


The process of binding a person (entity, object or similar) to an identity.
Registration normally comprises of:
1. Enrolment.
2. Binding between a verifiable user ID and a system-assigned ID (policy dependent).
3. Provisioning (client and systems).

Registration Provider

A function that is responsible for the enrolment of physical users into the identity registry of the IDP, where the user is represented by one or more identifiers. The RP executes necessary controls to corroborate that the identifiers really represents the correct user, and for which the RP also may be liable.

Depending on policy and available technology, a registration may include physical appearance and authentication of the user by provisioning of legally approved and valid proof of identity means like passports, driver’s license with picture, biometrics, etc. RP function may also include the storage of copies of such proof for an applicable time.

Finally, it may include external verification controls against legally approved databases like social security registries.

The policy may depend on national and international law, system, and service (registration of a bank account owner differs from a Telco subscriber).

Comparable concepts are the formal LRA and RA in PKI systems, e.g., IETF RFC 2527, and also ETSI TS 101 456 for Qualified Certificates.

Second Factor Authentication

A security process in which the user provides two means of identification, one of which is typically a physical token such as a card or a mobile device (“something I have”), and the other of which is typically something memorized, such as a security code or password (“something I know”). A third factor, such as biometric forms of identification or location confirmation – can sometimes be added for further security (“something I am”).

Service Provider (SP)

Service Provider is a provider of services and/or goods, which may require an actor authentication and/or transfer of actor information for purposes of a particular transaction.


Subscriber Identity Module: an application on the UICC that stores and handles the Subscriber identities (IMSI) and also the authentication and session key derive functions for GSM (A3/A8)

SIM Toolkit (SAT or STK)

SIM Toolkit provides a set of commands which allow applications, existing in the UICC, to interact and operate with a mobile client which supports the specific command(s) required by the application. Using the SIM Toolkit, applications can be downloaded to the SIM in a secure manner.

Single Logout

Same as Single Sign-Off.

Single Sign-Off (aka Single Sign-Out)

When a user logs out, all sessions initiated by the single sign-on that might be open are terminated for that user, and closed.

Single Sign-On (SSO)

The process and the notion of an actor being authenticated once for later access to multiple resources and services across security domains

Single-Sided Authentication

Only one side in a communication session independently to authenticate each other.
Also see: Mutual Authentication.

Subscriber (also known as Subscriber or Bill Payer)

Role carried out by a company (usually represented by an administrator) or a person (or a group), which pays for the services offered by the operator. These services are used by the End Users linked to the Subscriber (i.e. ‘Subscriber: End User’ relationship is 1:N, where N=1, 2, …). A person (or a group) may play both roles, Subscriber and End User, but also only one of them.


The smart-card platform furnished for mobile applications together with its operations system. Popular: erroneously denoted as the ‘SIM’ or ‘SIM-card’ (SIM is an application on the UICC).

User Agent

Software that a “user” interacts with directly. A user agent typically implements a user interface.

User authentication

The process of authenticating a personal (physical) user. User Authentication may consist of one, or combinations of the following (independent) three elements: something the user know, has or is.

If only one factor is used, UA is denoted as “weak” (like PIN or password only); 2-factor UA is denoted “strong”.

User authentication methods

Commonly classified as being one-factor, two-factor, or three-factor, whereas the said factors are normally: “something you have”, i.e. a physical device (e.g. a smart card), “something you know” (e.g. a password), or “something you are” (e.g. a biometric factor, such as a fingerprint).
Also see: Credentials.


An application on the UICC that stores and handles the Subscriber identities (IMSI) and also the authentication and session key derive functions for UMTS (3G).


The process of determining whether an Identity claimed by an actor (see Identity Claim) is valid, possibly on behalf of a third party. The result of this process is an assertion towards the concerned party on whether or not the ID claimed by the actor is valid. Validation is usually requested by an SP towards an IDP when a User has made an ID claim.