WO2025237971A1

WO2025237971A1 - User identity authentication in a communication network

Info

Publication number: WO2025237971A1
Application number: PCT/EP2025/063020
Authority: WO
Inventors: Yun Zhang; Ferhat KARAKOC; Fengpei Zhang; Jingrui TAO
Original assignee: Telefonaktiebolaget LM Ericsson AB
Current assignee: Telefonaktiebolaget LM Ericsson AB
Priority date: 2024-05-13
Filing date: 2025-05-13
Publication date: 2025-11-20
Anticipated expiration: 2026-11-13

Abstract

A network node (14) in a communication network receives, from a communication device (12), a credential (12C) that is attested as being associated with a user (12U) of the communication device (12). The network node (14) registers the credential (12C) with the network node (14) as being associated with the user (12U) and the communication device (12) in combination.

Description

USER IDENTITY AUTHENTICATION IN A COMMUNICATION NETWORK

TECHNICAL FIELD

The present application relates generally to a communication network and relates more particularly to authentication of a user in such a communication network.

BACKGROUND

A communication network that conforms to 3rd Generation Partnership Project (3GPP) standards heretofore supports authentication at the User Equipment (UE) identifier level. Each UE in this regard registers with the network on the basis of a subscription to the network, such that each UE is identified as being associated with an identifier of that subscription, e.g., a Global Product Subscription Identity (GPSI) or a Mobile Subscriber Integrated Services Digital Network Number (MSISDN) stored in a Subscriber Identity Module (SIM)Zembedded SIM (eSIM). A communication network accordingly performs authentication at the UE level by authenticating subscription identifiers.

However, some use cases such as a mobile metaverse would benefit from authentication and/or authorization at the user level, not just the UE level. Indeed, user authentication and/or authorization in such cases would enable differentiated quality of service (QoS), network slice access, and policy control per user. Challenges exist though with how to enable such user authentication and/or authorization to account for when one user has one or more UEs and/or when multiple users share one UE.

SUMMARY

Some embodiments herein provide user authentication in combination with communication device or subscription authentication in a communication network. One or more such embodiments exploit a passwordless authentication protocol for such user authentication, e.g., according to a W3C WebAuthN protocol or standard. In these and other embodiments, a communication device transmits a request to the network to register a user of the communication device (or a credential therefor) in association with a certain subscription to the network, e.g., where the user may be represented by a user name. Before accepting such a request, though, the network notably validates that the communication device has actually registered with the network on the basis of that subscription, e.g., using network layer address translation. Such may operate to effectively link registration of the user (or the user’s credential) with registration of the communication device, so that authentication of the user (and the credential associated with the user) is tied to a certain communication device. If the network’s validation of the communication device succeeds, the network may prompt the communication device to assert, and provide the network with, a credential (e.g., a public cryptographic key) associated with the user of the communication device, e.g., on the basis of biometrics from the user. The network may then register the user or the asserted credential as being associated with the user and the communication device in combination.

Still other embodiments provision a user profile for a user and a communication device in combination. Such a user profile may indicate which one or more network services the user and the communication device in combination are nominally authorized to access. Alternatively or additionally, the user profile may indicate one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services. This way, the network may control authorization of the user and the communication device in combination to access one or more network services according to the user profile.

Some embodiments thereby advantageously provide authentication and/or authorization at the user level for the benefit of use cases such as a mobile metaverse. Some embodiments in this regard advantageously enable differentiated quality of service (QoS), network slice access, and/or policy control per user. Moreover, some embodiments enable such user authentication and/or authorization to account for when one user has one or more communication devices and/or when multiple users share one communication device.

More particularly, embodiments herein include method performed by a communication device. The method comprises transmitting, to a network node in a communication network, a registration request that requests registration of a user of the communication device and/or registration of a credential associated with the user, wherein the registration request includes subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network.

In some embodiments, the registration request requests registration of a user name for the user with the subscription identifying information.

In some embodiments, the subscription identifying information is a GPSI or an MSISDN.

In some embodiments, the method further comprises, after registration of the user and/or the credential, transmitting an authentication request to the network node requesting authentication of the user with the credential. In some embodiments, the authentication request includes a user name with which the user is registered. In some embodiments, the authentication request includes a credential identifier that identifies the credential to be used for authenticating the user. In some embodiments, the authentication request includes information about one or more network services to which the user requests access. In some embodiments, the method further comprises receiving one or more tokens from the network node in response to the authentication request. In some embodiments, the method further comprises transmitting an invocation request requesting invocation of a network service on the basis of at least one of the one or more tokens, wherein the invocation request includes the at least one of the one or more tokens. In some embodiments, the one or more tokens include a user identity token that includes a username of the user and/or the subscription identifying information. In other embodiments, the one or more tokens alternatively or additionally include an access token that indicates the user and the communication device in combination are authorized to access the requested network service.

Other embodiments herein include a method performed by a network node in a communication network. The method comprises receiving, from a communication device, a credential that is attested as being associated with a user of the communication device. The method also comprises registering the credential with the network node as being associated with the user and the communication device in combination.

In some embodiments, said registering comprises associating the credential with the user and the communication device in combination by linking user identifying information that identifies the user, subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network, and the credential. In some embodiments, said linking comprises mapping the credential to a user account maintained for the user at the network node, where the user account for the user includes the user identifying information and the subscription identifying information. In some embodiments, said linking comprises storing, in a user account maintained at the network node for the user, the user identifying information, the subscription identifying information, and a credential record for the credential. In some embodiments, the user identifying information is a user identity or a user name. In other embodiments, the subscription identifying information is a GPSI or an MSISDN.

In some embodiments, the method further comprises, after registering the credential, receiving a request to authenticate the user with the credential. In some embodiments, the method further comprises checking whether a communication device from which the request was received is one of the communication devices with which the credential is registered as being associated.

In some embodiments, said checking comprises performing one or more of, or requesting another network node to perform one or more of: (i) translating a network layer address of the communication device from which the request was received to a subscription identifier, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifier; and (ii) checking whether the subscription identifier is the same as a subscription identifier associated with the communication devices with which the credential is registered as being associated.

In some embodiments, the method further comprises deciding that authentication of the user has failed, based on the communication device from which the request was received not being one of the communication devices with which the credential is registered as being associated according to said checking. In other embodiments, the method further comprises deciding that authentication of the user has succeeded, based on at least in part on the communication device from which the request was received being one of the communication devices with which the credential is registered as being associated according to said checking.

In some embodiments, the credential is a public cryptographic key paired with a corresponding private cryptographic key.

In some embodiments, the request includes a cryptographic signature asserted as being created with the private cryptographic key and/or as being verifiable with the public cryptographic key. In some embodiments, the method further comprises attempting to verify the cryptographic signature with the public cryptographic key. In some embodiments, the method further comprises deciding whether or not authentication of the user has succeeded or failed, based at least in part on whether the attempt to verify the cryptographic signature succeeded or failed.

In some embodiments, the method further comprises, based on authentication of the user succeeding, generating a token and transmitting the token in a response to the request.

In some embodiments, the method further comprises, before receiving the credential, receiving a request to register a user name for the user with subscription identifying information that identifies a subscription to the communication network, wherein the request includes the subscription identifying information. In some embodiments, the method further comprises checking whether a communication device from which the request was received is registered with the communication network based on the same subscription identifying information as that included in the request. In some embodiments, the method further comprises deciding whether or not to register the user name according to the request based at least in part on said checking. In some embodiments, said checking comprises translating, or requesting another network node to translate, a network layer address of the communication device from which the request was received to subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information. In some embodiments, said checking comprises checking whether the subscription identifying information is the same as the subscription identifying information based on which the communication device from which the request was received is registered with the communication network.

Other embodiments herein include a method performed by a network node in a communication network. The method comprises receiving, from a communication device, a credential that is attested as being associated with a user of the communication device. The method also comprises registering the user with the network node, including associating the credential with the user and the communication device in combination.

Other embodiments herein include a method performed by a network node in a communication network. The method comprises obtaining a user profile provisioned in the communication network for a user and a communication device in combination. In some embodiments, the user profile indicates which one or more network services the user and the communication device in combination are nominally authorized to access. In some embodiments, the user profile alternatively or additionally indicates one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services. The method also comprises controlling authorization of the user and the communication device in combination to access one or more network services according to the user profile.

In some embodiments, said controlling comprises receiving, from the communication device, a request by the user to access a network service. In some embodiments, said controlling comprises checking whether the user and the communication device in combination are authorized to access the requested network service according to the user profile. In some embodiments, said controlling comprises allowing or rejecting the request to access the requested network service depending on said checking. In some embodiments, said allowing or rejecting comprises allowing the request and transmitting a response to the request including an access token granting the user and the communication device in combination access to the requested network service. In some embodiments, said checking comprises checking whether the user and the communication device in combination are nominally authorized to access the requested network service according to the user profile. In other embodiments, said checking alternatively or additionally comprises checking whether the one or more dynamic conditions in the user profile are met.

Embodiments herein also include corresponding apparatus, computer programs, and carriers of those computer programs.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a block diagram of a communication device and a communication network according to some embodiments for registration to support user authentication. Figure 2 is a block diagram of a communication device and a communication network according to some embodiments for user authentication and network service access.

Figure 3 is a block diagram of a use case supported by one or more embodiments.

Figure 4A is a block diagram of a use case supported by some embodiments.

Figure 4B is a block diagram of another use case supported by some embodiments.

Figure 5 is a block diagram of a UE and network functions according to some embodiments.

Figure 6 is a call flow diagram for registration according to some embodiments.

Figure 7 is a call flow diagram for user authentication and API invocation according to some embodiments.

Figure 8 is a logic flow diagram of a method performed by a communication device according to some embodiments.

Figure 9A-9B is a logic flow diagram of a method performed by a network node according to some embodiments.

Figure 10A-10B is a logic flow diagram of a method performed by a network node according to other embodiments.

Figure 11 is a logic flow diagram of a method performed by a network node according to still other embodiments.

Figure 12 is a logic flow diagram of a method performed by a network node according to yet other embodiments.

Figure 13 is a block diagram of a communication device according to some embodiments.

Figure 14 is a block diagram of a network node according to some embodiments.

Figure 15 is a block diagram of a communication system in accordance with some embodiments.

Figure 16 is a block diagram of a UE in accordance with some embodiments.

Figure 17 is a block diagram of a network node in accordance with some embodiments.

Figure 18 is a block diagram of a virtualization environment in accordance with some embodiments.

DETAILED DESCRIPTION

Figure 1 shows a communication network 10 configured to provide communication service to a communication device 12 according to some embodiments. The communication network 10 is configured to enable authentication of a user 12U of the communication device 12, e.g., by exploiting a passwordless authentication protocol such as the W3C WebAuthN protocol. Towards this end, the communication device 12 as shown transmits a registration request 16 to a network node 14 in the communication network, e.g., implementing a User AuthN Function. The registration request 16 may for instance be transmitted from an application layer of the communication device 12, e.g., by an application client executed on the communication device 12 and/or according to a passwordless authentication protocol such as the W3C WebAuthN protocol or standard. Regardless, the registration request 16 requests registration of the user 12U and/or a credential 12C associated with the user 12. The registration request 16 in this regard may include a user name 12N that the user 12U requests to be associated with. In this case, then, the registration request 16 may be said to request registration of the user name 12N for the user 12U.

Notably, though, the registration request 16 requests registration of the user 12U and/or the credential 12C in association with a certain subscription to the communication network 10. The registration request 16 accordingly includes subscription identifying information 12S that identifies a subscription based on which the communication device 12 is registered with the communication network 10. The subscription identifying information 12S may for example be a Global Product Subscription Identity (GPSI) or a Mobile Subscriber Integrated Services Digital Network Number (MSISDN).

Before accepting the registration request 16, the network node 14 notably validates that the communication device 12 has actually registered with the communication network 10 on the basis of the subscription identified by the subscription identifying information 12S included in the registration request 16. Such may operate to effectively link registration of the user 12U (or the user’s credential 12C) with registration of the communication device 12, so that authentication of the user 12U (and the credential 12C associated with the user 12U) is tied to a certain communication device 12.

More particularly in this regard, upon receiving the registration request 16, the network node 14 checks whether the communication device 12 from which the registration request 16 was received is registered with the communication network 10 based on subscription identifying information that is the same as the subscription identifying information 12S included in the registration request 16. Such checking may therefore effectively validate the subscription identifying information 12S included in the registration request 16. The network node 14 may perform this validation itself, or employ assistance from one or more other network nodes for the validation. As shown in Figure 1 , for example, the network node performs a procedure 18 with another network node 17 to accomplish this validation.

In some embodiments, validation of the subscription identifying information 12S included in the registration request 16 involves translating a network layer address (e.g., Internet Protocol, IP, address) of the communication device 12 from which the registration request 16 was received into subscription identifying information. Indeed, when any communication device registers with the communication network 10 on the basis of a subscription to the communication network 10, the communication network 10 allocates a network layer address to that communication device. As such, the subscription identifying information based on which any communication device is registered can be looked up using the network layer address allocated to that communication device. Accordingly, in these embodiments, the network layer address from which the registration request 16 was received is used to lookup the subscription identifying information corresponding to whatever communication device was allocated that network layer address. Then, it is checked whether the subscription identifying information resulting from that network layer address translation matches the subscription identifying information 12S included in the registration request 16. If they match, the subscription identifying information 12S included in the registration request 16 is deemed successfully validated.

In some embodiments exploiting such network layer address translation, the network node 14 may itself perform the translation and the subscription identifying information match check, i.e., the checking whether the subscription identifying information resulting from that network layer address translation matches the subscription identifying information 12S included in the registration request 16. In other embodiments, the network node 14 may employ the assistance of network node 17 to perform the network layer address translation, with network node 17 returning the corresponding subscription identifying information. The network node 14 in this case may perform the subscription identifying information match check using the result of the network layer address translation performed by network node 17. In still other embodiments, the network node 14 may employ the assistance of network node 17 to perform both the network layer address translation and the subscription identifying information match checking, with network node 17 returning the result of the subscription identifying information match checking.

Generally, then, network node 14 may perform one or more of, or request another network node 17 to perform one or more of: (i) determining the subscription identifying information based on which the communication device 12 is registered with the communication network 10 by translating a network layer address of the communication device 12 to the subscription identifying information; and (ii) checking whether the determined subscription identifying information is the same as the subscription identifying information 12S included in the registration request 16.

The network node 14 may then decide whether or not to allow the registration request 16 based at least in part on the result of the subscription identifying information match checking. For example, the network node 14 may decide not to allow the registration request 16, responsive to failure of the subscription identifying information match checking. Indeed, in this case, the network node 14 may effectively conclude that the communication device from which the registration request 16 was received is not registered with the communication network 10 based on subscription identifying information that is the same as the subscription identifying information 12S included in the registration request 16. On the other hand, the network node 14 may decide to allow the registration request 16, responsive to success of the subscription identifying information match checking. Indeed, in this case, the network node 14 may effectively conclude that the communication device from which the registration request 16 was received is registered with the communication network 10 based on subscription identifying information that is the same as the subscription identifying information 12S included in the registration request 16.

The network node 14 may in any event transmit a response 20 to the registration request 16. If the network node 14 allows the registration request 16, the response 20 may prompt the communication device 12 to assert, and provide the network node 14 with, a credential 12C associated with the user 12U of the communication device 12. The response 20 may for instance include a publicKeyCredentialRequestOptions parameter as described further below.

So prompted, the communication device 12 generates a credential 12C associated with the user 12U of the communication device 12. The credential 12C may for example be a public cryptographic key that is paired with a corresponding private cryptographic key. In these and other embodiments, the communication device 12 may obtain the credential 12C according to a passwordless authentication protocol such as the W3C WebAuthN protocol or standard. The communication device 12 in some embodiments ensures that the credential 12C is associated with the user 12U by using biometrics, e.g., facial recognition or fingerprint identification.

The communication device 12 then transmits the credential 12C to the network node 14, e.g., within registration information (info) message (msg) 22. In so doing, the communication device 12 asserts that the credential 12C is associated with the user 12U of the communication device 12.

In receipt of the credential 12C, the network node 14 registers the user 12U (e.g., by registering the user name 12N) and/or registers the credential 12C. In one or more such embodiments, the network node 14 registers the credential 12C as being associated with the user 12U and the communication device 12 in combination. As such, the credential 12C is registered as being valid for authenticating the user 12U only in connection with the communication device 12. In another such embodiment, the network node 14 registers the user 12U (e.g., by registering the user name 12N as being that of the user 12U), and associates the credential 12C with the user 12U and the communication device 12 in combination. In some embodiments, then, registration effectively associates the credential 12C with the user 12U and the communication device 12 in combination. Registration may accomplish this by linking (1) user identifying information 12F that identifies the user 12U, such as the user name 12N or some other user identity unique to the user 12U; (2) the subscription identifying information 12S that identifies the subscription based on which the communication device 12 is registered with the communication network 10; and (3) the credential 12C. The network node 14 may for example store the user identifying information 12F, the subscription identifying information 12S, and a credential record for the credential 12C in a user account maintained at the network node 14 for the user 12U. Alternatively or additionally, the network node 14 may map the credential 12C to a user account maintained at the network node 14 for the user 12U, where the user account includes the user identifying information 12F and the subscription identifying information 12S. Either way, Figure 1 shows that in some embodiments the network node 14 stores the user identifying information 12F, the subscription identifying information 12S, and the credential 12C in association with one another, e.g., in a registry 14R. The network node 14 may also store the credential 12C as being identified by a credential identifier 12C-ID, e.g., where the credential identifier 12C-ID may be provided from the communication device 12.

Registration of the user 12U and/or the user’s credential 12C in this way prepares the communication network 10 to authenticate the user 12U using the credential 12C, e.g., as may be needed later as a prerequisite to grant the user 12U access to a network service. Figure 2 shows a procedure for authenticating the user 12U using the credential 12C according to some embodiments.

As shown in Figure 2, the communication device 12 transmits an authentication request 30 to the network node 14 requesting to authenticate the user 12U with the credential 12C. In some embodiments, the authentication request 30 at least implicitly identifies the user 12U, the communication device 12 such as with subscription identifying information 12S, and the credential 12C. In one embodiment, for example, the authentication request 30 includes a credential ID 12C-ID which is linked at the network node 14 to the credential 12C with which the user 12U is to be authenticated and which is also associated or linked to the user identifying information 12F and the subscription identifying information 12S at the network node 14. Indeed, equipped with the credential ID 12C-ID, the network node 14 in receipt of the authentication request 30 may determine which credential 12C is to be used for authentication as well as which user 12U is to be authenticated and which communication device 12 or associated subscription must be associated with that user 12U for authentication.

As a prerequisite for authentication of the user 12U to succeed, though, the network node 14 requires that the communication device from which the authentication request 30 was received be the same as the communication device 12U with which the credential 12C is registered as being associated. The network node 14 accordingly checks that this is the case as part of its decision about whether to accept the authentication request 30.

Similar to that described above for registration, the network node 14 may exploit network layer address translation to check whether the communication device from which the authentication request 30 was received is the same as the communication device 12U with which the credential 12C is registered as being associated. The network node 14 may accordingly perform, or request another network node 17 to perform, network layer address translation and/or subscription identifying information match checking. In this case, though, the network layer address translation translates a network layer address of the communication device from which the authentication request 30 was received into a subscription identifier, e.g., based on the network layer address having been allocated by the communication network 10 to a communication device associated with that subscription identifier. Subscription identifying information match checking then entails checking whether the subscription identifier is the same as a subscription identifier associated with the communication device 12U with which the credential 12C is registered as being associated.

If the communication device from which the authentication request 30 was received is not the same as the communication device 12U with which the credential 12C is registered as being associated, the network node 14 may decide that authentication of the user 12U has failed. This may be the case even if one or more other requirements for authentication are met.

In this regard, the authentication request 30 as shown in Figure 2 may also include a cryptographic signature 32. The network node 14 in this case attempts to verify the cryptographic signature 32 with the credential 12C that is associated with the user 12U and the communication device 12 in combination. In some embodiments, for example, the credential 12C is a public cryptographic key paired with a corresponding private cryptographic key. In such embodiments, the authentication request 30 asserts the cryptographic signature 32 has been created with the private cryptographic key and/or is being verifiable with the public cryptographic key. The network node 14 thereby attempts to verify the cryptographic signature 32 with the public cryptographic key, and decides whether or not authentication of the user 12U has succeeded or failed, based at least in part on whether the attempt to verify the cryptographic signature 32 succeeded or failed.

Regardless of how authentication is performed, based on authentication of the user 12U succeeding, the network node 14 as shown in Figure 2 generates one or more tokens 34 and transmits the token(s) 34 to the communication device 12, e.g., in a response to the authentication request 30. At least one of the token(s) 34 may operate as proof or evidence of authentication of the user 12U. In fact, at least one of the token(s) 34 may operate as proof or evidence of authentication of the user 12U in combination with the communication device 12.

In some embodiments, the token(s) 34 include a user identity token. The user identity token may specifically represent that the identity of the user 12U has been authenticated. The user identity token may accordingly not be sufficient in and of itself to grant the user 12U access to any given network service. Alternatively or additionally, then, the token(s) 34 may include an access token. The access token may represent that the user 12U in possession of the access token is authorized to access one or more network services.

In fact, in some embodiments, the network node 14 additionally controls authorization of the user 12U and the communication device 12 in combination to access one or more network services. The network node 14 may do so on the basis of a user profile 12P provisioned in the communication network 10 for the user 12U and the communication device 12 in combination. The network node 14 may obtain the user profile 12P from another network node, e.g., implementing a user profile function. The user profile 12P may for example indicate which one or more network services the user 12U and the communication device 12 in combination are nominally authorized to access. Alternatively or additionally, the user profile 12P may indicate one or more dynamic conditions under which the user 12U and the communication device 12 in combination are, or are not, actually authorized to access the one or more network services. Such dynamic condition(s) may also be referred to as constraints. The dynamic condition(s) may for instance include a geographical location at which the user 12U and the communication device 12 in combination are, or are not, authorized to access the one or more network services. Alternatively or additionally, the dynamic condition(s) may include a time period during which the user 12U and the communication device 12 in combination are, or are not, authorized to access the one or more network services. Either way, the network node 14 may check whether the user 12U and the communication device 12 in combination are authorized to access the requested network service according to the user profile 12P. This may involve checking whether the user 12U and the communication device 12 in combination are nominally authorized to access the requested network service according to the user profile 12P and/or checking whether the one or more dynamic conditions in the user profile 12P are met. The network node 14 may then allow or reject a request to access the requested network service depending on that checking. If the request is allowed, the network node 14 may issue the access token as described above, for granting the requested access.

Equipped with the token(s) 34, then, the communication device 12 may transmit an access request 36 to a network service node 40 that provides or facilitates access to a network service, e.g., via an application programming interface (API). The network service node 40 in some embodiments may take the form of an API exposing function. Regardless, the access request 36 includes the token(s) 34 based on which access to a network service (e.g., via an API) is requested.

Consider now some embodiments in a context where the communication device 12 is exemplified as a user equipment (UE), and the communication network 10 is a 3GPP-based network.

In one example, embodiments herein support a use case for extended Reality (XR)- enable collaborative and concurrent engineering in product design using metaverse services, e.g., according to 3GPP TR 22.856 V19.2.0, Feasibility Study on Localized Mobile Metaverse Service and captured in Annex A.3 of 3GPP TS 22.156 V10.1.0.

In such an example use case, User 1 belongs to company A which owns a Distributed Virtual Environment for collaborative and concurrent engineering. User 1 can access Network QoS profile Video, Audio and Haptics for metaverse whatever User Equipment as long as User 1 is in company A office location. User 1 can access Network QoS profile Video and Audio for metaverse whatever User Equipment as long as User 1 is out of company A office location. Conversely, User 2 belongs to company B, a partner company of A, to design the key part of component. User 2 can access Network QoS profile Video and Audio for metaverse whatever User Equipment or wherever.

For typical Network QoS profile for multi-modal streams, refer to Table 5.3.3-1 of 3GPP TR 22.856 V19.2.0.

Some embodiments herein further support any of the following scenarios. Figure 3 shows User 1 and User 2 access network QoS profile on related User Equipment. Consider the following use case:

1. User 1 (e.g., user1@example.com) with XR-enable User Equipment (embedded 5G eSIM connectivity) starts collaborative and concurrent engineering in Distributed Virtual Environment location. User 1 (e.g., user1@example.com) signs-in to an existing application using whatever method they have been using (e.g., use passkeys provided by Apple or Google). 2. XR-enable User Equipment prompts, "Do you (user1@example.com) want to register this device (input GPSI) with 5G connectivity (qualified Network QoS connect with camara.csp.com/qod).

3. User inputs GPSI=A to associate GPSI=A with user name (userl ©example. com) to use communication service provider (CSP) network services or network APIs

4. The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.

5. Distributed Virtual Environment shows message, "Registration complete in CSP 5G network", after CSP response in success about GPSI=A associated with user1@apple.com

Some embodiments facilitate security and privacy aspects of mobile metaverse, e.g., addressing key issues in 3GPP TR 33.721 VO.1.0. Some embodiments alternatively or additionally address key issues in 3GPP TR 33.700-32 V0.1 .0 about authentication and authorization of Human User ID, e.g., so as to provide a means to support authentication and authorization of human user based on a User identifier linked to a 3GPP subscription.

Some enable the 5G Core to identify the user who is using the device behind the 3GPP UE and enables providing differentiated QoS and Policy control per user.

Some embodiments enable the 3GPP system to support allowing a UE access to a slice or a network QoS based on successful User Identity authentication, plus UE location- aware verification. Alternatively or additionally, some embodiments enable the 3GPP system to deny a UE access to a slice or a network QoS based on unsuccessful User Identity authentication, plus UE location-aware verification.

Some embodiments are applicable for use in either the scenario in Figure 4A where one user (i.e., human) has one or more UE(s) or the scenario in Figure 4B where one or more users (i.e., humans) share one User Equipment.

Some embodiments exploit a standard Passkeys to authenticate a User by using a biometric sensor (such as a fingerprint or facial recognition), or a device PIN through Device Authenticator (e.g., Apple Device’s Passkeys using Face Id or Touch Id, or Google Password Manager in Android). Some embodiments in particular connect this Passkeys or W3C WebAuthn with the communication network 10 for associating User Id and subscriber Id or UE Id together. In this regard, the Web Authentication standard provides an API for accessing Public Key Credentials, e.g., for implementing passwordless sign-in using Passkeys for human user authentication.

Some embodiments generally introduce establishing a linkage between a human User identity and their User Equipment identity (CSP Subscriber Id) by preserving this relationship and its associated metadata (e.g., Public Key Credential, etc.) within the User Identity Authentication Function in the communication service provider (CSP) system (i.e., communication network 10). In some embodiments, User Identity Authentication Function can use W3C WebAuthN passwordless authentication technology for User Id association with UE Id, to identify the user who is using the device behind the 3GPP UE. Alternatively or additionally, some embodiments use User identity authentication for Network API invocation, e.g., allow/deny a UE access to a network QoS policy based on successful/unsuccessful User Identity authentication. Alternatively or additionally, some embodiments associate User Identity (human user id) with User Equipment identifier (CSP Subscriber Id) can also be used in the CSP Network APIs authorization and consent management.

Certain embodiments may provide one or more of the following technical advantage(s). Some embodiments integrate Internet technologies like W3C Web Authentication and CSP technology to enable combined authentication of User IDs (or human users) and CSP User Equipment.

Figure 5 is a block diagram of a UE as well as various network functions for implementing one or more embodiments. Some embodiments in particular introduce User Identity Authentication Function (also called User AuthN Function) for managing a User Identity database storing the public key and other metadata to associate with User Equipment Identity. Here, UE Identity may take the form of a subscription identifier that identifies a subscription associated with a UE. The User AuthN Function may for example be implemented by network node 14 in Figure 1 .

In some embodiments, the User Identity AuthN Function manages the user account database storing the public key and other metadata etc. Below are data information structure examples for 2 scenarios. a. User.ld 1 , user. name=user1 ©example. com; slice.csp.com, Public Key Credential, etc.

■ UE Id (GPSI/MSISDN=A)

■ UE Id (GPSI/MSISDN=B) b. UE Id (GPSI/MSISDN=A)

■ User.ld 1 , user.name=user1 ©example. com, rp.id=slice. csp.com, Public Key Credential, etc.

■ User.ld 2, user.name=user1 ©example.com, rp.id=slice. csp.com, Public Key Credential, etc.

In some embodiments, the User Identity AuthN Function uses W3C WebAuthN technology to parse data from Application Client on User Equipment and use for the User Identity registration and authentication. Some embodiments expose User Identity authentication Network API towards application for User Identity registration and authentication using W3C WebAuthN technology. That is, in order to support User Identity authentication behind UE, some embodiments propose to add Nnef_ WebAuthN API in 3GPP for user identity registration and authentication by using W3C Web Authentication technology for accessing Public Key Credential for User Identity.

Figure 6 shows User Identity registration in CSP systems with associating UE ID according to some embodiments, with reference numbers of elements corresponding to that from Figure 1 which each element exemplifies.

Step 1. A user 12U requests user identity user.name=user1 ©example. com associated with User Equipment Identifier of CSP subscriber e.g., UE ID= GPSI/MSISDN 00461888xxxxxxx through Application Client in a Device or Mobile Phone.

Step 2. App Client e.g., CSP Relying Party Application in Device or Mobile Phone requests to register user.name=user1 ©example. com with CSP UE ID=GPSI 00841888xxxxxxx via CSP User AuthN Function 14 (e.g., userAuthN.csp.com) User AuthN API to fetch registration information. The request of Step 2 exemplifies the registration request 16 in Figure 1.

Step 3. User AuthN Function verifies if UE ID= GPSI/MSISDN 00861888xxxxxxx is valid using CSP Number Verification network service (e.g., using UE IP address to GPSI/MSISDN translation). This step exemplifies the procedure 18 in Figure 1.

Step 4. User AuthN Function generates user.id, challenge. id, and use. id linkage with user.name, UE ID, and rp.id(userAuthN. csp.com).

Step 5. User AuthN Function generates PublicKeyCredentialCreationOptions including user.id, challenge. id, and use. id linkage with user.name, UE ID, and rp.id(userAuthN. csp.com).

Step 6. User AuthN Function responses App Client OK with PublicKeyCredentialCreationOptions for registration. This response exemplifies the response 20 in Figure 1.

Step 7. App Client calls OS Passkeys API e.g. CredentialMgmt API navigator.credentials.create() to create a User AuthN registration including challenge. id, user.id, rp.id.

Step 8. UE OS triggers the device Authenticator to identify user.

Step 9. Device Authenticator requests user consents using the device screen lock (e.g., Faceld, Fingerprint, etc.). Step 10. Device Authenticator generates new key pair, credential. id and attestation related to user.id, rp.id, challenge. id after user verification. Here, the public key of the new key pair exemplifies the credential 12C in Figure 1 .

Step 11 . Authenticator returns a signed data with PublicKeyCredential including: credential. Id, clientdataJSON, attestationobject.

Step 12. UE OS returns the result to App Client.

Step 13. App Client calls User AuthN API to send the registration info to User AuthN Function including PublicKeyCredential. The Public Key included in PublicKeyCredential exemplifies the credential 12C in Figure 1. Step 14. User AuthN Function parses PublicKeyCredential to valid challenge. id, user.id, rp.id, and related credential. id, and Public Key.

Step 15. User AuthN Function stores the credential. id and Public Key associated with user.name, UE ID, rp.id. This exemplifies the registry 14R in Figure 1. In some embodiments, the following attributes are stored:

Step 16. User AuthN returns registration result to App Client.

Step 17. App Client returns to the User a response with user.name associated with UE ID result. Notably in Steps 3-5, then, the user.name is associated with UE ID in the registration steps.

In some embodiments, Steps 6-13 reuse W3C WebAuthN standards https://www.w3.org/TR/webauthn-3/ and mobile phone existing practices on Passkeys support (e.g., Google passkeys support, Apple passkeys support). Note though that although some embodiments use W3C WebAuthN standards together with device passkeys implementation for human user identity authentication, they can also be used in other authentication technologies such as password based authentication.

Figure 7 shows User Identity authentication when Application Client invoke CSP User AuthN APIs according to some embodiments.

Step 1 . A user user.name=user1 ©example. com requests to invoke network capability e.g., Network QoS profile Video, Audio and Haptics.

Step 2. App Client (e.g., CSP Relying Party Application on UE) calls User AuthN API to fetch user authentication information.

Step 3. User AuthN Function generates publicKeyCredentialRequestOptions including challenge. id, rp.id.

Step 4. User AuthN Function responses OK with PublicKeyCredentialRequestOptions.

Step 5. App Client calls OS passkeys API e.g. CredentialMgmt API navigator.credentials.get() to request a user authentication.

Step 6. UE OS triggers the device Authenticator to identify the user.

Step 7. Device Authenticator requests user consent using the device screen lock (e.g., Faceld, Fingerprint, etc.).

Step 8. Device Authenticator returns OS the result including authenticatorData signature. Step 9. UE OS returns a signed data with Public Key Credential

Step 10. App Client calls User AuthN API to send authentication info with AuthenticatorAttestationResponse including credential. id, clientDataJSON, authenticationData, signature. This may exemplify the authentication request 30 in Figure 2.

Step 11 . User AuthN Function uses credential. id to lookup the user.name, UE ID that using the user identity registration data in step 14 of the above, and parse clientDataJSON to valid challenge. id, and parse authenticationData to get rp.id, public key, certificate.

Step 12. User AuthN verifies signature against user public key. Step 13. User AuthN Function validates UE ID with UE IP address using CSP Number Verification network service.

Step 14. User AuthN Function generates User Id token (present user.name, UE ID) after authentication in success.

Step 15. User AuthN Function returns App Client the result with the User Id token. This User Id token exemplifies the token(s) 34 in Figure 2.

Step 16. App Client invokes Network API e.g., Nnef_AsSessionWithQoS with a Custom HTTP header using User Id token from User AuthN function. This invocation exemplifies the access request 36 in Figure 2.

Step 17. API Exposure Function verifes User Id token with User AuthN function, allow or deny API invocation based on User Id token validation. At this step, if another user does not register or is not authenticated in CSP User AuthN Function that will not carry the valid User Id token, the API invocation will be denied.

In some embodiments, Steps 4-10 reuse W3C WebAuthN standards https://www.w3.org/TR/webauthn-3/ and mobile phone existing practices on passkeys support (e.g., Google passkeys support, Apple passkeys support. Although some embodiments use W3C WebAuthN standards together with device passkeys implementation for human user identity authentication, other embodiments can be used in other authentication technologies such as password based authentication.

Consider now User authorization in CSP systems according to some embodiments. In some embodiments, a User Profile Function manages user profiles associated with a UE and the services accessed by the UE. Such a user profile may be an example of the user profile 12P in Figure 2.

A user profile may be defined by CSP and associated with the UE subscription. In this case, Order Management system may provision the user profiles to User Profile Function.

A user profile may be defined by the UE owner (e.g., Enterprise). In this case, UE owner may directly provision the user profiles to User Profile Function.

A user profile may include information about authorizing this use to access a certain service through the target UE. A user profile may include one or more of:

- User Id (user.name in Metaverse)

- UE ID (CSP subscriber Id e.g., GPSI)

- Network services subscription e.g., Network QoS profile Video, Audio, Haptics for Metaverse

- Constraints (e.g., valid UE Location for network service subscription, valid time period) After authentication or during authentication of the user, the User AuthN Function may obtain the user profile from the User Profile Function and issue an access token taking the user profile into account. The authentication request may include information about the services that the user wants to access. This information may also be taken into account when issuing the access token.

The User AuthN Function may provide both the User ID Token and access token, may provide only the User ID Token, or may provide only the access token.

The User Profile Function may be located in different layers, such as a part of UDM or the User AuthN Function, or as a separate function.

The User AuthN Function may obtain the UE location and use that information in the authorization decision.

User Identity de-reqistration in CSP systems

User Identity AuthN Function can also provide User Identity lifecycle to deregistration User Identity association with UE ID, similar procedure as defined above.

Some embodiments use terminology as defined below.

In some embodiments W3C WebAuthN is an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. A public key credential is created and stored by a WebAuthn Authenticator at the behest of a WebAuthn Relying Party, subject to user consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties. Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a public key credential is created on an authenticator, and scoped to a Relying Party with the present user’s account (the account might already exist or might be created at this time). The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the public key credential. Functionally, the Web Authentication API comprises a PublicKeyCredential which extends the Credential Management API [CREDENTIAL- MANAGEMENT-1], and infrastructure which allows those credentials to be used with navigator.credentials.createO and navigator.credentials.get(). The former is used during Registration, and the latter during Authentication.

Generally, attestation is a statement that serves to bear witness, confirm, or authenticate. In the WebAuthn context, attestation is employed to provide verifiable evidence as to the origin of an authenticator and the data it emits. This includes such things as credential IDs, credential key pairs, signature counters, etc.

A credential key pair is a pair of asymmetric cryptographic keys generated by an authenticator and scoped to a specific WebAuthn Relying Party. It is the central part of a public key credential. A credential public key is the public key portion of a credential key pair. The credential public key is returned to the Relying Party during a registration ceremony. A credential private key is the private key portion of a credential key pair. The credential private key is bound to a particular authenticator - its managing authenticator - and is expected to never be exposed to any other party, not even to the owner of the authenticator. attestationobject: The value of the attestationobject attribute when the public key credential source was registered. Storing this enables the Relying Party to reference the credential’s attestation statement at a later time. attestationClientDataJSON: The value of the clientDataJSON attribute when the public key credential source was registered. Storing this in combination with the above attestationobject item enables the Relying Party to re-verify the attestation signature at a later time.

An attestation signature is produced when a new public key credential is created via an authenticatorMakeCredential operation. An attestation signature provides cryptographic proof of certain properties of the authenticator and the credential. For instance, an attestation signature asserts the authenticator type (as denoted by its AAGUID) and the credential public key. The attestation signature is signed by an attestation private key, which is chosen depending on the type of attestation desired.

Generically, a credential is data one entity presents to another in order to authenticate the former to the latter [RFC4949], The term public key credential refers to one of: a public key credential source, the possibly-attested credential public key corresponding to a public key credential source, or an authentication assertion. A "credential" may be either a) the thing presented to prove a statement and b) intended to be used multiple times.

At registration time, the authenticator creates an asymmetric key pair, and stores its private key portion and information from the Relying Party into a public key credential source. The public key portion is returned to the Relying Party, which then stores it in the active user account. Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the public key credential in authentication ceremonies, via the getO method. The Relying Party uses its stored copy of the credential public key to verify the resultant authentication assertion.

Registration Ceremony: The ceremony where a user, a Relying Party, and the user’s client platform (containing or connected to at least one authenticator) work in concert to create a public key credential and associate it with a user account. Note that this includes employing a test of user presence or user verification. After a successful registration ceremony, the user can be authenticated by an authentication ceremony.

Authentication ceremony: The ceremony where a user, and the user’s client platform (containing or connected to at least one authenticator) work in concert to cryptographically prove to a Relying Party that the user controls the credential private key of a previously-registered public key credential (see Registration). Note that this includes a test of user presence or user verification.

User Account: In the context herein, a user account denotes the mapping of a set of credentials [CREDENTIAL-MANAGEMENT-1] to a (sub)set of a Relying Party's resources, as maintained and authorized by the Relying Party. The Relying Party maps a given public key credential to a user account by assigning a user account-specific value to the credential’s user handle and storing a credential record for the credential in the user account. This mapping, the set of credentials, and their authorizations, may evolve over time. A given user account might be accessed by one or more natural persons (also known as "users"), and one natural person might have access to one or more user accounts, depending on actions of the user(s) and the Relying Party.

In view of the modifications and variations herein, Figure 8 depicts a method performed by a communication device in accordance with particular embodiments. The method includes transmitting, to a network node in a communication network, a registration request that requests registration of a user of the communication device and/or registration of a credential associated with the user, wherein the registration request includes subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network (Block 800).

In some embodiments, the method further comprises, after registration of the user and/or the credential, transmitting an authentication request to the network node requesting authentication of the user with the credential (Block 810). In some embodiments, the authentication request includes a user name with which the user is registered. In some embodiments, the authentication request includes information about one or more network services to which the user requests access. In some embodiments, the method further comprises receiving one or more tokens from the network node in response to the authentication request (Block 820). In some embodiments, the method further comprises transmitting an invocation request requesting invocation of a network service on the basis of at least one of the one or more tokens, wherein the invocation request includes the at least one of the one or more tokens (Block 830). In some embodiments, the one or more tokens include a user identity token that includes a username of the user and/or the subscription identifying information. In other embodiments, the one or more tokens alternatively or additionally include an access token that indicates the user and the communication device in combination are authorized to access the requested network service.

In some embodiments, the credential is a public cryptographic key that is paired with a corresponding private cryptographic key.

In some embodiments, the method is performed by an application client executed on the communication device. In some embodiments, the application client is an application client of a communication service provider that provides the communication network.

In some embodiments, the network node implements a User AuthN Function.

In some embodiments, the user is a human user.

In some embodiments, the registration request is transmitted according to a W3C WebAuthN protocol or standard.

In some embodiments, the registration request is transmitted according to a passwordless authentication protocol.

In some embodiments, the credential is a password.

Figures 9A-9B depict a method performed by a network node in a communication network in accordance with other particular embodiments. The method includes receiving, from a communication device, a credential that is attested as being associated with a user of the communication device (Block 900). The method also comprises registering the credential with the network node as being associated with the user and the communication device in combination (Block 910).

In some embodiments, said registering comprises associating the credential with the user and the communication device in combination by linking user identifying information that identifies the user, subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network, and the credential. In some embodiments, said linking comprises mapping the credential to a user account maintained for the user at the network node. In some embodiments, the user account for the user includes the user identifying information and the subscription identifying information. In some embodiments, said linking comprises storing, in a user account maintained at the network node for the user, the user identifying information. In some embodiments, said linking comprises storing, in a user account maintained at the network node for the user, the subscription identifying information. In some embodiments, said linking comprises storing, in a user account maintained at the network node for the user, a credential record for the credential. In some embodiments, the user identifying information is a user identity or a user name. In other embodiments, alternatively or additionally, the subscription identifying information is a GPSI or an MSISDN. In some embodiments, said linking comprises storing, in a data structure at the network node, data that indicates for the user identifying information and the credential, one or more subscription identifiers that identify one or more respective subscriptions based on which one or more communication devices are registered with the communication network. In other embodiments, said linking comprises storing, in a data structure at the network node, data that indicates for the subscription identifying information, one or more user-credential pairs. In some embodiments, each user-credential pair comprises a pair of user identifying information identifying the user and a credential registered as being associated with the user. In some embodiments, said receiving further comprises receiving a credential identifier that identifies the credential, and said registering comprises registering the credential as being identified by the credential identifier.

In some embodiments, said registering comprises registering the credential as being valid for authenticating the user if the user is using the communication device.

In some embodiments, the method further comprises, after registering the credential, receiving a request to authenticate the user with the credential (Block 920). In some embodiments, the method further comprises checking whether a communication device from which the request was received is one of the communication devices with which the credential is registered as being associated (Block 930). In some embodiments, said checking comprises performing one or more of, or requesting another network node to perform one or more of: (i) translating a network layer address of the communication device from which the request was received to a subscription identifier, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifier; and (ii) checking whether the subscription identifier is the same as a subscription identifier associated with one of the communication devices with which the credential is registered as being associated.

In some embodiments, the method further comprises deciding that authentication of the user has failed, based on the communication device from which the request was received not being one of the communication devices with which the credential is registered as being associated according to said checking. In other embodiments, the method further comprises deciding that authentication of the user has succeeded, based on at least in part on the communication device from which the request was received being one of the communication devices with which the credential is registered as being associated according to said checking. In some embodiments, the credential is a public cryptographic key paired with a corresponding private cryptographic key. In some embodiments, the request includes a cryptographic signature asserted as being created with the private cryptographic key and/or as being verifiable with the public cryptographic key. In some embodiments, the method further comprises attempting to verify the cryptographic signature with the public cryptographic key. In some embodiments, the method further comprises deciding whether or not authentication of the user has succeeded or failed, based at least in part on whether the attempt to verify the cryptographic signature succeeded or failed. In some embodiments, the request to authenticate the user includes a credential identifier that identifies the credential to be used for authenticating the user. In some embodiments, the method further comprises, based on authentication of the user succeeding, generating a token and transmitting the token in a response to the request (Block 940).

In some embodiments, the method further comprises, before receiving the credential, receiving a request to register a user name for the user with subscription identifying information that identifies a subscription to the communication network, wherein the request includes the subscription identifying information (Block 950). In some embodiments, the method further comprises checking whether a communication device from which the request was received is registered with the communication network based on the same subscription identifying information as that included in the request (Block 960). In some embodiments, the method further comprises deciding whether or not to register the user name according to the request based at least in part on said checking (Block 970). In some embodiments, said checking comprises performing one or more of, or requesting another network node to perform one or more of: (i) translating a network layer address of the communication device from which the request was received to subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information; and (ii) checking whether the subscription identifying information is the same as the subscription identifying information included in the request.

In some embodiments, the credential is received from an application client executed by the communication device. In some embodiments, the application client is an application client of a communication service provider that provides the communication network.

In some embodiments, the network node implements a User AuthN Function.

In some embodiments, the user is a human user.

In some embodiments, the credential is received and registered according to a W3C WebAuthN protocol or standard. In some embodiments, the credential is received and registered according to a passwordless authentication protocol.

In some embodiments, the credential is a password.

In some embodiments, the method further comprises obtaining a user profile provisioned in the communication network for the user and the communication device in combination (Block 980). In some embodiments, the user profile indicates which one or more network services the user and the communication device in combination are nominally authorized to access (Block 985). In other embodiments, the user profile alternatively or additionally indicates one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services (Block 990). In some embodiments, the method further comprises controlling authorization of the user and the communication device in combination to access one or more network services according to the user profile (Block 995). In some embodiments, said controlling comprises receiving, from the communication device, a request by the user to access a network service. In some embodiments, said controlling comprises checking whether the user and the communication device in combination are authorized to access the requested network service according to the user profile. In some embodiments, said controlling comprises allowing or rejecting the request to access the requested network service depending on said checking. In some embodiments, said allowing or rejecting comprises allowing the request and transmitting a response to the request including an access token granting the user and the communication device in combination access to the requested network service. In some embodiments, said checking comprises checking whether the user and the communication device in combination are nominally authorized to access the requested network service according to the user profile. In other embodiments, said checking alternatively or additionally comprises checking whether the one or more dynamic conditions in the user profile are met. In some embodiments, the one or more dynamic conditions include a location at which the user and the communication device in combination are, or are not, authorized to access the one or more network services. In other embodiments, the one or more dynamic conditions alternatively or additionally include a time period during which the user and the communication device in combination are, or are not, authorized to access the one or more network services. In some embodiments, obtaining the user profile comprises receiving the user profile from another network node that implements a user profile function.

Figures 10A-10B depict a method performed by a network node in a communication network in accordance with other particular embodiments. The method includes receiving, from a communication device, a credential that is attested as being associated with a user of the communication device (Block 1000). The method also comprises registering the user with the network node, including associating the credential with the user and the communication device in combination (Block 1010).

In some embodiments, said associating the credential with the user and the communication device in combination comprises linking user identifying information that identifies the user, subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network, and the credential. In some embodiments, said linking comprises mapping the credential to a user account maintained for the user at the network node. In some embodiments, the user account for the user includes the user identifying information and the subscription identifying information. In some embodiments, said linking comprises storing, in a user account maintained at the network node for the user, the user identifying information. In some embodiments, said linking comprises storing, in a user account maintained at the network node for the user, the subscription identifying information. In some embodiments, said linking comprises storing, in a user account maintained at the network node for the user, a credential record for the credential. In some embodiments, the user identifying information is a user identity or a user name. In other embodiments, alternatively or additionally, the subscription identifying information is a GPSI or an MSISDN. In some embodiments, said linking comprises storing, in a data structure at the network node, data. In some embodiments, the data indicates, for the user identifying information and the credential, one or more subscription identifiers that identify one or more respective subscriptions based on which one or more communication devices are registered with the communication network. In other embodiments, the data indicates, for the subscription identifying information, one or more user-credential pairs, wherein each user-credential pair comprises a pair of user identifying information identifying the user and a credential registered as being associated with the user. In some embodiments, said receiving further comprises receiving a credential identifier that identifies the credential, and wherein said registering comprises registering the credential as being identified by the credential identifier.

In some embodiments, said registering comprises registering the user as being authenticatable by the credential if the user is using the communication device.

In some embodiments, the method further comprises, after registering the user, receiving a request to authenticate the user with the credential (Block 1020). In some embodiments, the method further comprises checking whether a communication device from which the request was received is one of the communication devices with which the credential is associated (Block 1030). In some embodiments, said checking comprises performing one or more of, or requesting another network node to perform one or more of: (i) translating, or requesting another network node to translate, a network layer address of the communication device from which the request was received to a subscription identifier, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifier; and (ii) checking whether the subscription identifier is the same as a subscription identifier associated with one of the communication devices from which the request was received. In some embodiments, the method further comprises deciding that authentication of the user has failed, based on the communication device from which the request was received not being one of the communication devices with which the credential is associated according to said checking. In other embodiments, the method further comprises deciding that authentication of the user has succeeded, based on at least in part on the communication device from which the request was received being one of the communication devices with which the credential is associated according to said checking. In some embodiments, the credential is a public cryptographic key paired with a corresponding private cryptographic key. In some embodiments, the request includes a cryptographic signature asserted as being created with the private cryptographic key and/or as being verifiable with the public cryptographic key. In some embodiments, the method further comprises attempting to verify the cryptographic signature with the public cryptographic key. In some embodiments, the method further comprises deciding whether or not authentication of the user has succeeded or failed, based at least in part on whether the attempt to verify the cryptographic signature succeeded or failed. In some embodiments, the request to authenticate the user includes a credential identifier that identifies the credential to be used for authenticating the user. In some embodiments, the method further comprises, based on authentication of the user succeeding, generating a token and transmitting the token in a response to the request (Block 1040).

In some embodiments, said registering comprises, before receiving the credential, receiving a request to register a user name for the user with subscription identifying information that identifies a subscription to the communication network (Block 1050). In some embodiments, the request includes the subscription identifying information. In some embodiments, said registering comprises checking whether a communication device from which the request was received is registered with the communication network based on the same subscription identifying information as that included in the request (Block 1060). In some embodiments, said registering comprises deciding whether or not to register the user name according to the request based at least in part on said checking (Block 1070). In some embodiments, said checking comprises translating a network layer address of the communication device from which the request was received to subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information. In some embodiments, said checking comprises checking whether the subscription identifying information is the same as the subscription identifying information based on which the communication device from which the request was received is registered with the communication network.

In some embodiments, the network node implements a User AuthN Function.

In some embodiments, the user is a human user.

In some embodiments, the credential is received and the user registered according to a W3C WebAuthN protocol or standard.

In some embodiments, the credential is received and the user registered according to a passwordless authentication protocol.

In some embodiments, the credential is a password.

In some embodiments, the method further comprises obtaining a user profile provisioned in the communication network for the user and the communication device in combination (Block 1080). In some embodiments, the user profile indicates which one or more network services the user and the communication device in combination are nominally authorized to access (Block 1085). In other embodiments, the user profile alternatively or additionally indicates one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services (Block 1090). In some embodiments, the method further comprises controlling authorization of the user and the communication device in combination to access one or more network services according to the user profile (Block 1095). In some embodiments, said controlling comprises receiving, from the communication device, a request by the user to access a network service. In some embodiments, said controlling comprises checking whether the user and the communication device in combination are authorized to access the requested network service according to the user profile. In some embodiments, said controlling comprises allowing or rejecting the request to access the requested network service depending on said checking. In some embodiments, said allowing or rejecting comprises allowing the request and transmitting a response to the request including an access token granting the user and the communication device in combination access to the requested network service. In some embodiments,

In some embodiments, said checking comprises checking whether the user and the communication device in combination are nominally authorized to access the requested network service according to the user profile. In other embodiments, said checking alternatively or additionally comprises checking whether the one or more dynamic conditions in the user profile are met. In some embodiments, the one or more dynamic conditions include a location at which the user and the communication device in combination are, or are not, authorized to access the one or more network services. In other embodiments, the one or more dynamic conditions alternatively or additionally include a time period during which the user and the communication device in combination are, or are not, authorized to access the one or more network services. In some embodiments, obtaining the user profile comprises receiving the user profile from another network node that implements a user profile function.

In some embodiments, the method further comprises deregistering the user.

Figure 11 depicts a method performed by a network node in a communication network in accordance with particular embodiments. The method includes obtaining a user profile provisioned in the communication network for a user and a communication device in combination (Block 1100). In some embodiments, the user profile indicates which one or more network services the user and the communication device in combination are nominally authorized to access (Block 1110). In some embodiments, the user profile alternatively or additionally indicates one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services (Block 1120). The method also comprises controlling authorization of the user and the communication device in combination to access one or more network services according to the user profile (Block 1130).

In some embodiments, the one or more dynamic conditions include a location at which the user and the communication device in combination are, or are not, authorized to access the one or more network services. In other embodiments, the one or more dynamic conditions alternatively or additionally include a time period during which the user and the communication device in combination are, or are not, authorized to access the one or more network services.

In some embodiments, obtaining the user profile comprises receiving the user profile from another network node that implements a user profile function.

In some embodiments, the network node implements a User AuthN Function.

In some embodiments, the user is a human user.

Figure 12 depicts a method performed by a network node in a communication network in accordance with other particular embodiments. The method comprises receiving a request to register a user name for a user with subscription identifying information that identifies a subscription to the communication network, wherein the request includes the subscription identifying information (Block 1200). The method further comprises checking whether a communication device from which the request was received is registered with the communication network based on subscription identifying information that is the same as the subscription identifying information included in the request (Block 1210). The method also comprises deciding whether or not to register the user name according to the request based at least in part on said checking (Block 1220).

In some embodiments, said checking comprises performing one or more of, or requesting another network node to perform one or more of: (i) determining the subscription identifying information based on which the communication device is registered with the communication network by translating a network layer address of the communication device to the subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information; and (ii) checking whether the determined subscription identifying information is the same as the subscription identifying information included in the request.

Embodiments herein also include corresponding apparatuses. Embodiments herein for instance include a communication device configured to perform any of the steps of any of the embodiments described above for the communication device.

Embodiments also include a communication device comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the communication device. The power supply circuitry is configured to supply power to the communication device.

Embodiments further include a communication device comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the communication device. In some embodiments, the communication device further comprises communication circuitry. Embodiments further include a communication device comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the communication device is configured to perform any of the steps of any of the embodiments described above for the communication device.

Embodiments moreover include a user equipment (UE). The UE comprises an antenna configured to send and receive wireless signals. The UE also comprises radio frontend circuitry connected to the antenna and to processing circuitry, and configured to condition signals communicated between the antenna and the processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the communication device. In some embodiments, the UE also comprises an input interface connected to the processing circuitry and configured to allow input of information into the UE to be processed by the processing circuitry. The UE may comprise an output interface connected to the processing circuitry and configured to output information from the UE that has been processed by the processing circuitry. The UE may also comprise a battery connected to the processing circuitry and configured to supply power to the UE.

Embodiments herein also include a network node configured to perform any of the steps of any of the embodiments described above for the network node.

Embodiments also include a network node comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the network node. The power supply circuitry is configured to supply power to the network node.

Embodiments further include a network node comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the network node. In some embodiments, the network node further comprises communication circuitry.

Embodiments further include a network node comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the network node is configured to perform any of the steps of any of the embodiments described above for the network node.

More particularly, the apparatuses described above may perform the methods herein and any other processing by implementing any functional means, modules, units, or circuitry. In one embodiment, for example, the apparatuses comprise respective circuits or circuitry configured to perform the steps shown in the method figures. The circuits or circuitry in this regard may comprise circuits dedicated to performing certain functional processing and/or one or more microprocessors in conjunction with memory. For instance, the circuitry may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include digital signal processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as read-only memory (ROM), random-access memory, cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory may include program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein, in several embodiments. In embodiments that employ memory, the memory stores program code that, when executed by the one or more processors, carries out the techniques described herein.

Figure 13 for example illustrates a communication device 12 as implemented in accordance with one or more embodiments. As shown, the communication device 12 includes processing circuitry 1310 and communication circuitry 1320. The communication circuitry 1320 (e.g., radio circuitry) is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. Such communication may occur via one or more antennas that are either internal or external to the communication device 12. The processing circuitry 1310 is configured to perform processing described above, e.g., in Figure 8, such as by executing instructions stored in memory 1330. The processing circuitry 1310 in this regard may implement certain functional means, units, or modules.

Figure 14 illustrates a network node 14 as implemented in accordance with one or more embodiments. As shown, the network node 14 includes processing circuitry 1410 and communication circuitry 1420. The communication circuitry 1420 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 1410 is configured to perform processing described above, e.g., in Figure 9A-9B, Figure 10A-10B, Figure 11 , and/or Figure 12, such as by executing instructions stored in memory 1430. The processing circuitry 1410 in this regard may implement certain functional means, units, or modules.

Those skilled in the art will also appreciate that embodiments herein further include corresponding computer programs.

A computer program comprises instructions which, when executed on at least one processor of an apparatus, cause the apparatus to carry out any of the respective processing described above. A computer program in this regard may comprise one or more code modules corresponding to the means or units described above.

Embodiments further include a carrier containing such a computer program. This carrier may comprise one of an electronic signal, optical signal, radio signal, or computer readable storage medium. In this regard, embodiments herein also include a computer program product stored on a non-transitory computer readable (storage or recording) medium and comprising instructions that, when executed by a processor of an apparatus, cause the apparatus to perform as described above.

Embodiments further include a computer program product comprising program code portions for performing the steps of any of the embodiments herein when the computer program product is executed by a computing device. This computer program product may be stored on a computer readable recording medium.

Figure 15 shows an example of a communication system 1500 in accordance with some embodiments.

In the example, the communication system 1500 includes a telecommunication network 1502 that includes an access network 1504, such as a radio access network (RAN), and a core network 1506, which includes one or more core network nodes 1508. The access network 1504 includes one or more access network nodes, such as network nodes 1510a and 1510b (one or more of which may be generally referred to as network nodes 1510), or any other similar 3^rd Generation Partnership Project (3GPP) access nodes or non-3GPP access points. Moreover, as will be appreciated by those of skill in the art, a network node is not necessarily limited to an implementation in which a radio portion and a baseband portion are supplied and integrated by a single vendor. Thus, it will be understood that network nodes include disaggregated implementations or portions thereof. For example, in some embodiments, the telecommunication network 1502 includes one or more Open-RAN (ORAN) network nodes. An ORAN network node is a node in the telecommunication network 1502 that supports an ORAN specification (e.g., a specification published by the O-RAN Alliance, or any similar organization) and may operate alone or together with other nodes to implement one or more functionalities of any node in the telecommunication network 1502, including one or more network nodes 1510 and/or core network nodes 1508.

Examples of an ORAN network node include an open radio unit (O-RU), an open distributed unit (O-DU), an open central unit (O-CU), including an O-CU control plane (O- CU-CP) or an O-CU user plane (O-CU-UP), a RAN intelligent controller (near-real time or non-real time) hosting software or software plug-ins, such as a near-real time control application (e.g., xApp) or a non-real time control application (e.g., rApp), or any combination thereof (the adjective “open” designating support of an ORAN specification). The network node may support a specification by, for example, supporting an interface defined by the ORAN specification, such as an A1 , F1 , W1 , E1 , E2, X2, Xn interface, an open fronthaul user plane interface, or an open fronthaul management plane interface. Moreover, an ORAN access node may be a logical node in a physical node. Furthermore, an ORAN network node may be implemented in a virtualization environment (described further below) in which one or more network functions are virtualized. For example, the virtualization environment may include an O-Cloud computing platform orchestrated by a Service Management and Orchestration Framework via an 0-2 interface defined by the O-RAN Alliance or comparable technologies. The network nodes 1510 facilitate direct or indirect connection of user equipment (UE), such as by connecting UEs 1512a, 1512b, 1512c, and 1512d (one or more of which may be generally referred to as UEs 1512) to the core network 1506 over one or more wireless connections.

Example wireless communications over a wireless connection include transmitting and/or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and/or other types of signals suitable for conveying information without the use of wires, cables, or other material conductors. Moreover, in different embodiments, the communication system 1500 may include any number of wired or wireless networks, network nodes, UEs, and/or any other components or systems that may facilitate or participate in the communication of data and/or signals whether via wired or wireless connections. The communication system 1500 may include and/or interface with any type of communication, telecommunication, data, cellular, radio network, and/or other similar type of system.

The UEs 1512 may be any of a wide variety of communication devices, including wireless devices arranged, configured, and/or operable to communicate wirelessly with the network nodes 1510 and other communication devices. Similarly, the network nodes 1510 are arranged, capable, configured, and/or operable to communicate directly or indirectly with the UEs 1512 and/or with other network nodes or equipment in the telecommunication network 1502 to enable and/or provide network access, such as wireless network access, and/or to perform other functions, such as administration in the telecommunication network 1502.

In the depicted example, the core network 1506 connects the network nodes 1510 to one or more host computing systems, such as host 1516. These connections may be direct or indirect via one or more intermediary networks or devices. In other examples, network nodes may be directly coupled to hosts. The core network 1506 includes one more core network nodes (e.g., core network node 1508) that are structured with hardware and software components. Features of these components may be substantially similar to those described with respect to the UEs, network nodes, and/or hosts, such that the descriptions thereof are generally applicable to the corresponding components of the core network node 1508. Example core network nodes include functions of one or more of a Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (AUSF), Subscription Identifier De-concealing function (SIDF), Unified Data Management (UDM), Security Edge Protection Proxy (SEPP), Network Exposure Function (NEF), and/or a User Plane Function (UPF).

The host 1516 may be under the ownership or control of a service provider other than an operator or provider of the access network 1504 and/or the telecommunication network 1502. The host 1516 may host a variety of applications to provide one or more service. Examples of such applications include live and pre-recorded audio/video content, data collection services such as retrieving and compiling data on various ambient conditions detected by a plurality of UEs, analytics functionality, social media, functions for controlling or otherwise interacting with remote devices, functions for an alarm and surveillance center, or any other such function performed by a server.

As a whole, the communication system 1500 of Figure 15 enables connectivity between the UEs, network nodes, and hosts. In that sense, the communication system may be configured to operate according to predefined rules or procedures, such as specific standards that include, but are not limited to: Global System for Mobile Communications (GSM); Universal Mobile Telecommunications System (UMTS); Long Term Evolution (LTE), and/or other suitable 2G, 3G, 4G, 5G standards, or any applicable future generation standard (e.g., 6G); wireless local area network (WLAN) standards, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (WiFi); and/or any other appropriate wireless communication standard, such as the Worldwide Interoperability for Microwave Access (WiMax), Bluetooth, Z-Wave, Near Field Communication (NFC) ZigBee, LiFi, and/or any low-power wide-area network (LPWAN) standards such as LoRa and Sigfox.

In some examples, the telecommunication network 1502 is a cellular network that implements 3GPP standardized features. Accordingly, the telecommunications network 1502 may support network slicing to provide different logical networks to different devices that are connected to the telecommunication network 1502. For example, the telecommunications network 1502 may provide Ultra Reliable Low Latency Communication (URLLC) services to some UEs, while providing Enhanced Mobile Broadband (eMBB) services to other UEs, and/or Massive Machine Type Communication (mMTC)ZMassive loT services to yet further UEs.

In some examples, the UEs 1512 are configured to transmit and/or receive information without direct human interaction. For instance, a UE may be designed to transmit information to the access network 1504 on a predetermined schedule, when triggered by an internal or external event, or in response to requests from the access network 1504. Additionally, a UE may be configured for operating in single- or multi-RAT or multi-standard mode. For example, a UE may operate with any one or combination of Wi-Fi, NR (New Radio) and LTE, i.e. being configured for multi-radio dual connectivity (MR-DC), such as E- UTRAN (Evolved-UMTS Terrestrial Radio Access Network) New Radio - Dual Connectivity (EN-DC).

In the example, the hub 1514 communicates with the access network 1504 to facilitate indirect communication between one or more UEs (e.g., UE 1512c and/or 1512d) and network nodes (e.g., network node 1510b). In some examples, the hub 1514 may be a controller, router, content source and analytics, or any of the other communication devices described herein regarding UEs. For example, the hub 1514 may be a broadband router enabling access to the core network 1506 for the UEs. As another example, the hub 1514 may be a controller that sends commands or instructions to one or more actuators in the UEs. Commands or instructions may be received from the UEs, network nodes 1510, or by executable code, script, process, or other instructions in the hub 1514. As another example, the hub 1514 may be a data collector that acts as temporary storage for UE data and, in some embodiments, may perform analysis or other processing of the data. As another example, the hub 1514 may be a content source. For example, for a UE that is a VR device, display, loudspeaker, or other media delivery device, the hub 1514 may retrieve VR assets, video, audio, or other media or data related to sensory information via a network node, which the hub 1514 then provides to the UE either directly, after performing local processing, and/or after adding additional local content. In still another example, the hub 1514 acts as a proxy server or orchestrator for the UEs, in particular if one or more of the UEs are low energy loT devices.

The hub 1514 may have a constant/persistent or intermittent connection to the network node 1510b. The hub 1514 may also allow for a different communication scheme and/or schedule between the hub 1514 and UEs (e.g., UE 1512c and/or 1512d), and between the hub 1514 and the core network 1506. In other examples, the hub 1514 is connected to the core network 1506 and/or one or more UEs via a wired connection. Moreover, the hub 1514 may be configured to connect to an M2M service provider over the access network 1504 and/or to another UE over a direct connection. In some scenarios, UEs may establish a wireless connection with the network nodes 1510 while still connected via the hub 1514 via a wired or wireless connection. In some embodiments, the hub 1514 may be a dedicated hub - that is, a hub whose primary function is to route communications to/from the UEs from/to the network node 1510b. In other embodiments, the hub 1514 may be a non-dedicated hub - that is, a device which is capable of operating to route communications between the UEs and network node 1510b, but which is additionally capable of operating as a communication start and/or end point for certain data channels.

Figure 16 shows a UE 1600 in accordance with some embodiments. The UE 1600 presents additional details of some embodiments of the UE 1512 of Figure 1. As used herein, a UE refers to a device capable, configured, arranged and/or operable to communicate wirelessly with network nodes and/or other UEs. Examples of a UE include, but are not limited to, a smart phone, mobile phone, cell phone, voice over IP (VoIP) phone, wireless local loop phone, desktop computer, personal digital assistant (PDA), wireless cameras, gaming console or device, music storage/playback device, wearable terminal device, wireless endpoint, mobile station, tablet, laptop, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), an Augmented Reality (AR) or Virtual Reality (VR) device, wireless customer-premise equipment (CPE), vehicle, vehicle-mounted or vehicle embedded/integrated wireless device, etc. Other examples include any UE identified by the 3rd Generation Partnership Project (3GPP), including a narrow band internet of things (NB- loT) UE, a machine type communication (MTC) UE, and/or an enhanced MTC (eMTC) UE.

A UE may support device-to-device (D2D) communication, for example by implementing a 3GPP standard for sidelink communication, Dedicated Short-Range Communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle- to-everything (V2X). In other examples, a UE may not necessarily have a user in the sense of a human user who owns and/or operates the relevant device. Instead, a UE may represent a device that is intended for sale to, or operation by, a human user but which may not, or which may not initially, be associated with a specific human user (e.g., a smart sprinkler controller). Alternatively, a UE may represent a device that is not intended for sale to, or operation by, an end user but which may be associated with or operated for the benefit of a user (e.g., a smart power meter).

The UE 1600 includes processing circuitry 1602 that is operatively coupled via a bus 1604 to an input/output interface 1606, a power source 1608, a memory 1610, a communication interface 1612, and/or any other component, or any combination thereof. Certain UEs may utilize all or a subset of the components shown in Figure 16. The level of integration between the components may vary from one UE to another UE. Further, certain UEs may contain multiple instances of a component, such as multiple processors, memories, transceivers, transmitters, receivers, etc.

The processing circuitry 1602 is configured to process instructions and data and may be configured to implement any sequential state machine operative to execute instructions stored as machine-readable computer programs in the memory 1610. The processing circuitry 1602 may be implemented as one or more hardware-implemented state machines (e.g., in discrete logic, field-programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), etc.); programmable logic together with appropriate firmware; one or more stored computer programs, general-purpose processors, such as a microprocessor or digital signal processor (DSP), together with appropriate software; or any combination of the above. For example, the processing circuitry 1602 may include multiple central processing units (CPUs). In the example, the input/output interface 1606 may be configured to provide an interface or interfaces to an input device, output device, or one or more input and/or output devices. Examples of an output device include a speaker, a sound card, a video card, a display, a monitor, a printer, an actuator, an emitter, a smartcard, another output device, or any combination thereof. An input device may allow a user to capture information into the UE 1600. Examples of an input device include a touch-sensitive or presence-sensitive display, a camera (e.g., a digital camera, a digital video camera, a web camera, etc.), a microphone, a sensor, a mouse, a trackball, a directional pad, a trackpad, a scroll wheel, a smartcard, and the like. The presence-sensitive display may include a capacitive or resistive touch sensor to sense input from a user. A sensor may be, for instance, an accelerometer, a gyroscope, a tilt sensor, a force sensor, a magnetometer, an optical sensor, a proximity sensor, a biometric sensor, etc., or any combination thereof. An output device may use the same type of interface port as an input device. For example, a Universal Serial Bus (USB) port may be used to provide an input device and an output device.

In some embodiments, the power source 1608 is structured as a battery or battery pack. Other types of power sources, such as an external power source (e.g., an electricity outlet), photovoltaic device, or power cell, may be used. The power source 1608 may further include power circuitry for delivering power from the power source 1608 itself, and/or an external power source, to the various parts of the UE 1600 via input circuitry or an interface such as an electrical power cable. Delivering power may be, for example, for charging of the power source 1608. Power circuitry may perform any formatting, converting, or other modification to the power from the power source 1608 to make the power suitable for the respective components of the UE 1600 to which power is supplied.

The memory 1610 may be or be configured to include memory such as random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic disks, optical disks, hard disks, removable cartridges, flash drives, and so forth. In one example, the memory 1610 includes one or more application programs 1614, such as an operating system, web browser application, a widget, gadget engine, or other application, and corresponding data 1616. The memory 1610 may store, for use by the UE 1600, any of a variety of various operating systems or combinations of operating systems.

The memory 1610 may be configured to include a number of physical drive units, such as redundant array of independent disks (RAID), flash memory, USB flash drive, external hard disk drive, thumb drive, pen drive, key drive, high-density digital versatile disc (HD-DVD) optical disc drive, internal hard disk drive, Blu-Ray optical disc drive, holographic digital data storage (HDDS) optical disc drive, external mini-dual in-line memory module (DIMM), synchronous dynamic random access memory (SDRAM), external micro-DIMM SDRAM, smartcard memory such as tamper resistant module in the form of a universal integrated circuit card (UICC) including one or more subscriber identity modules (SIMs), such as a USIM and/or ISIM, other memory, or any combination thereof. The UICC may for example be an embedded UICC (eUlCC), integrated UICC (iUICC) or a removable UICC commonly known as ‘SIM card.’ The memory 1610 may allow the UE 1600 to access instructions, application programs and the like, stored on transitory or non-transitory memory media, to off-load data, or to upload data. An article of manufacture, such as one utilizing a communication system may be tangibly embodied as or in the memory 1610, which may be or comprise a device-readable storage medium.

The processing circuitry 1602 may be configured to communicate with an access network or other network using the communication interface 1612. The communication interface 1612 may comprise one or more communication subsystems and may include or be communicatively coupled to an antenna 1622. The communication interface 1612 may include one or more transceivers used to communicate, such as by communicating with one or more remote transceivers of another device capable of wireless communication (e.g., another UE or a network node in an access network). Each transceiver may include a transmitter 1618 and/or a receiver 1620 appropriate to provide network communications (e.g., optical, electrical, frequency allocations, and so forth). Moreover, the transmitter 1618 and receiver 1620 may be coupled to one or more antennas (e.g., antenna 1622) and may share circuit components, software or firmware, or alternatively be implemented separately.

In the illustrated embodiment, communication functions of the communication interface 1612 may include cellular communication, Wi-Fi communication, LPWAN communication, data communication, voice communication, multimedia communication, short-range communications such as Bluetooth, near-field communication, location-based communication such as the use of the global positioning system (GPS) to determine a location, another like communication function, or any combination thereof. Communications may be implemented in according to one or more communication protocols and/or standards, such as IEEE 802.11 , Code Division Multiplexing Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMax, Ethernet, transmission control protocol/internet protocol (TCP/IP), synchronous optical networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), and so forth.

Regardless of the type of sensor, a UE may provide an output of data captured by its sensors, through its communication interface 1612, via a wireless connection to a network node. Data captured by sensors of a UE can be communicated through a wireless connection to a network node via another UE. The output may be periodic (e.g., once every 15 minutes if it reports the sensed temperature), random (e.g., to even out the load from reporting from several sensors), in response to a triggering event (e.g., when moisture is detected an alert is sent), in response to a request (e.g., a user initiated request), or a continuous stream (e.g., a live video feed of a patient).

As another example, a UE comprises an actuator, a motor, or a switch, related to a communication interface configured to receive wireless input from a network node via a wireless connection. In response to the received wireless input the states of the actuator, the motor, or the switch may change. For example, the UE may comprise a motor that adjusts the control surfaces or rotors of a drone in flight according to the received input or to a robotic arm performing a medical procedure according to the received input.

A UE, when in the form of an Internet of Things (loT) device, may be a device for use in one or more application domains, these domains comprising, but not limited to, city wearable technology, extended industrial application and healthcare. Non-limiting examples of such an loT device are a device which is or which is embedded in: a connected refrigerator or freezer, a TV, a connected lighting device, an electricity meter, a robot vacuum cleaner, a voice controlled smart speaker, a home security camera, a motion detector, a thermostat, a smoke detector, a door/window sensor, a flood/moisture sensor, an electrical door lock, a connected doorbell, an air conditioning system like a heat pump, an autonomous vehicle, a surveillance system, a weather monitoring device, a vehicle parking monitoring device, an electric vehicle charging station, a smart watch, a fitness tracker, a wearable for tactile augmentation or sensory enhancement, a water sprinkler, an animal- or item-tracking device, a sensor for monitoring a plant or animal, an industrial robot, an Unmanned Aerial Vehicle (UAV), and any kind of medical device, like a heart rate monitor or a remote controlled surgical robot. A UE in the form of an loT device comprises circuitry and/or software in dependence of the intended application of the loT device in addition to other components as described in relation to the UE 1600 shown in Figure 16.

As yet another specific example, in an loT scenario, a UE may represent a machine or other device that performs monitoring and/or measurements, and transmits the results of such monitoring and/or measurements to another UE and/or a network node. The UE may in this case be an M2M device, which may in a 3GPP context be referred to as an MTC device. As one particular example, the UE may implement the 3GPP NB-loT standard. In other scenarios, a UE may represent a vehicle, such as a car, a bus, a truck, a ship and an airplane, or other equipment that is capable of monitoring and/or reporting on its operational status or other functions associated with its operation.

In practice, any number of UEs may be used together with respect to a single use case. For example, a first UE might be or be integrated in a drone and provide the drone’s speed information (obtained through a speed sensor) to a second UE that is a remote controller operating the drone. When the user makes changes from the remote controller, the first UE may adjust the throttle on the drone (e.g. by controlling an actuator) to increase or decrease the drone’s speed. The first and/or the second UE can also include more than one of the functionalities described above. For example, a UE might comprise the sensor and the actuator, and handle communication of data for both the speed sensor and the actuators.

Figure 17 shows a network node 1700 in accordance with some embodiments. As used herein, network node refers to equipment capable, configured, arranged and/or operable to communicate directly or indirectly with a UE and/or with other network nodes or equipment, in a telecommunication network. Examples of network nodes include, but are not limited to, access points (APs) (e.g., radio access points), base stations (BSs) (e.g., radio base stations, Node Bs, evolved Node Bs (eNBs) and NR NodeBs (gNBs)), O-RAN nodes or components of an O-RAN node (e.g., O-RU, O-DU, O-CU).

Base stations may be categorized based on the amount of coverage they provide (or, stated differently, their transmit power level) and so, depending on the provided amount of coverage, may be referred to as femto base stations, pico base stations, micro base stations, or macro base stations. A base station may be a relay node or a relay donor node controlling a relay. A network node may also include one or more (or all) parts of a distributed radio base station such as centralized digital units, distributed units (e.g., in an O- RAN access node) and/or remote radio units (RRUs), sometimes referred to as Remote Radio Heads (RRHs). Such remote radio units may or may not be integrated with an antenna as an antenna integrated radio. Parts of a distributed radio base station may also be referred to as nodes in a distributed antenna system (DAS).

Other examples of network nodes include multiple transmission point (multi-TRP) 5G access nodes, multi-standard radio (MSR) equipment such as MSR BSs, network controllers such as radio network controllers (RNCs) or base station controllers (BSCs), base transceiver stations (BTSs), transmission points, transmission nodes, multi-cell/multicast coordination entities (MCEs), Operation and Maintenance (O&M) nodes, Operations Support System (OSS) nodes, Self-Organizing Network (SON) nodes, positioning nodes (e.g., Evolved Serving Mobile Location Centers (E-SMLCs)), and/or Minimization of Drive Tests (MDTs).

The network node 1700 includes a processing circuitry 1702, a memory 1704, a communication interface 1706, and a power source 1708. The network node 1700 may be composed of multiple physically separate components (e.g., a NodeB component and a RNC component, or a BTS component and a BSC component, etc.), which may each have their own respective components. In certain scenarios in which the network node 1700 comprises multiple separate components (e.g., BTS and BSC components), one or more of the separate components may be shared among several network nodes. For example, a single RNC may control multiple NodeBs. In such a scenario, each unique NodeB and RNC pair, may in some instances be considered a single separate network node. In some embodiments, the network node 1700 may be configured to support multiple radio access technologies (RATs). In such embodiments, some components may be duplicated (e.g., separate memory 1704 for different RATs) and some components may be reused (e.g., a same antenna 1710 may be shared by different RATs). The network node 1700 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node 1700, for example GSM, WCDMA, LTE, NR, WiFi, Zigbee, Z- wave, LoRaWAN, Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within network node 1700.

The processing circuitry 1702 may comprise a combination of one or more of a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application-specific integrated circuit, field programmable gate array, or any other suitable computing device, resource, or combination of hardware, software and/or encoded logic operable to provide, either alone or in conjunction with other network node 1700 components, such as the memory 1704, to provide network node 1700 functionality.

In some embodiments, the processing circuitry 1702 includes a system on a chip (SOC). In some embodiments, the processing circuitry 1702 includes one or more of radio frequency (RF) transceiver circuitry 1712 and baseband processing circuitry 1714. In some embodiments, the radio frequency (RF) transceiver circuitry 1712 and the baseband processing circuitry 1714 may be on separate chips (or sets of chips), boards, or units, such as radio units and digital units. In alternative embodiments, part or all of RF transceiver circuitry 1712 and baseband processing circuitry 1714 may be on the same chip or set of chips, boards, or units.

The memory 1704 may comprise any form of volatile or non-volatile computer- readable memory including, without limitation, persistent storage, solid-state memory, remotely mounted memory, magnetic media, optical media, random access memory (RAM), read-only memory (ROM), mass storage media (for example, a hard disk), removable storage media (for example, a flash drive, a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or any other volatile or non-volatile, non-transitory device-readable and/or computer-executable memory devices that store information, data, and/or instructions that may be used by the processing circuitry 1702. The memory 1704 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and/or other instructions capable of being executed by the processing circuitry 1702 and utilized by the network node 1700. The memory 1704 may be used to store any calculations made by the processing circuitry 1702 and/or any data received via the communication interface 1706. In some embodiments, the processing circuitry 1702 and memory 1704 is integrated.

The communication interface 1706 is used in wired or wireless communication of signaling and/or data between a network node, access network, and/or UE. As illustrated, the communication interface 1706 comprises port(s)/terminal(s) 1716 to send and receive data, for example to and from a network over a wired connection. The communication interface 1706 also includes radio front-end circuitry 1718 that may be coupled to, or in certain embodiments a part of, the antenna 1710. Radio front-end circuitry 1718 comprises filters 1720 and amplifiers 1722. The radio front-end circuitry 1718 may be connected to an antenna 1710 and processing circuitry 1702. The radio front-end circuitry may be configured to condition signals communicated between antenna 1710 and processing circuitry 1702. The radio front-end circuitry 1718 may receive digital data that is to be sent out to other network nodes or UEs via a wireless connection. The radio front-end circuitry 1718 may convert the digital data into a radio signal having the appropriate channel and bandwidth parameters using a combination of filters 1720 and/or amplifiers 1722. The radio signal may then be transmitted via the antenna 1710. Similarly, when receiving data, the antenna 1710 may collect radio signals which are then converted into digital data by the radio front-end circuitry 1718. The digital data may be passed to the processing circuitry 1702. In other embodiments, the communication interface may comprise different components and/or different combinations of components.

In certain alternative embodiments, the network node 1700 does not include separate radio front-end circuitry 1718, instead, the processing circuitry 1702 includes radio front-end circuitry and is connected to the antenna 1710. Similarly, in some embodiments, all or some of the RF transceiver circuitry 1712 is part of the communication interface 1706. In still other embodiments, the communication interface 1706 includes one or more ports or terminals 1716, the radio front-end circuitry 1718, and the RF transceiver circuitry 1712, as part of a radio unit (not shown), and the communication interface 1706 communicates with the baseband processing circuitry 1714, which is part of a digital unit (not shown).

The antenna 1710 may include one or more antennas, or antenna arrays, configured to send and/or receive wireless signals. The antenna 1710 may be coupled to the radio front-end circuitry 1718 and may be any type of antenna capable of transmitting and receiving data and/or signals wirelessly. In certain embodiments, the antenna 1710 is separate from the network node 1700 and connectable to the network node 1700 through an interface or port.

The antenna 1710, communication interface 1706, and/or the processing circuitry 1702 may be configured to perform any receiving operations and/or certain obtaining operations described herein as being performed by the network node. Any information, data and/or signals may be received from a UE, another network node and/or any other network equipment. Similarly, the antenna 1710, the communication interface 1706, and/or the processing circuitry 1702 may be configured to perform any transmitting operations described herein as being performed by the network node. Any information, data and/or signals may be transmitted to a UE, another network node and/or any other network equipment.

The power source 1708 provides power to the various components of network node 1700 in a form suitable for the respective components (e.g., at a voltage and current level needed for each respective component). The power source 1708 may further comprise, or be coupled to, power management circuitry to supply the components of the network node 1700 with power for performing the functionality described herein. For example, the network node 1700 may be connectable to an external power source (e.g., the power grid, an electricity outlet) via an input circuitry or interface such as an electrical cable, whereby the external power source supplies power to power circuitry of the power source 1708. As a further example, the power source 1708 may comprise a source of power in the form of a battery or battery pack which is connected to, or integrated in, power circuitry. The battery may provide backup power should the external power source fail.

Embodiments of the network node 1700 may include additional components beyond those shown in Figure 17 for providing certain aspects of the network node’s functionality, including any of the functionality described herein and/or any functionality necessary to support the subject matter described herein. For example, the network node 1700 may include user interface equipment to allow input of information into the network node 1700 and to allow output of information from the network node 1700. This may allow a user to perform diagnostic, maintenance, repair, and other administrative functions for the network node 1700. In some embodiments providing a core network node, such as core network node 108 of FIG. 15, some components, such as the radio front-end circuitry 1718 and the RF transceiver circuitry 1712 may be omitted.

Figure 18 is a block diagram illustrating a virtualization environment 1800 in which functions implemented by some embodiments may be virtualized. In the present context, virtualizing means creating virtual versions of apparatuses or devices which may include virtualizing hardware platforms, storage devices and networking resources. As used herein, virtualization can be applied to any device described herein, or components thereof, and relates to an implementation in which at least a portion of the functionality is implemented as one or more virtual components. Some or all of the functions described herein may be implemented as virtual components executed by one or more virtual machines (VMs) implemented in one or more virtual environments 1800 hosted by one or more of hardware nodes, such as a hardware computing device that operates as a network node, UE, core network node, or host. Further, in embodiments in which the virtual node does not require radio connectivity (e.g., a core network node or host), then the node may be entirely virtualized. In some embodiments, the virtualization environment 1800 includes components defined by the O-RAN Alliance, such as an O-Cloud environment orchestrated by a Service Management and Orchestration Framework via an 0-2 interface. Virtualization may facilitate distributed implementations of a network node, UE, core network node, or host.

Applications 1802 (which may alternatively be called software instances, virtual appliances, network functions, virtual nodes, virtual network functions, etc.) are run in the virtualization environment Q400 to implement some of the features, functions, and/or benefits of some of the embodiments disclosed herein.

Hardware 1804 includes processing circuitry, memory that stores software and/or instructions executable by hardware processing circuitry, and/or other hardware devices as described herein, such as a network interface, input/output interface, and so forth. Software may be executed by the processing circuitry to instantiate one or more virtualization layers 1806 (also referred to as hypervisors or virtual machine monitors (VMMs)), provide VMs 1808a and 1808b (one or more of which may be generally referred to as VMs 1808), and/or perform any of the functions, features and/or benefits described in relation with some embodiments described herein. The virtualization layer 1806 may present a virtual operating platform that appears like networking hardware to the VMs 1808.

The VMs 1808 comprise virtual processing, virtual memory, virtual networking or interface and virtual storage, and may be run by a corresponding virtualization layer 1806. Different embodiments of the instance of a virtual appliance 1802 may be implemented on one or more of VMs 1808, and the implementations may be made in different ways. Virtualization of the hardware is in some contexts referred to as network function virtualization (NFV). NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which can be located in data centers, and customer premise equipment.

In the context of NFV, a VM 1808 may be a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine. Each of the VMs 1808, and that part of hardware 1804 that executes that VM, be it hardware dedicated to that VM and/or hardware shared by that VM with others of the VMs, forms separate virtual network elements. Still in the context of NFV, a virtual network function is responsible for handling specific network functions that run in one or more VMs 1808 on top of the hardware 1804 and corresponds to the application 1802.

Hardware 1804 may be implemented in a standalone network node with generic or specific components. Hardware 1804 may implement some functions via virtualization. Alternatively, hardware 1804 may be part of a larger cluster of hardware (e.g. such as in a data center or CPE) where many hardware nodes work together and are managed via management and orchestration 1810, which, among others, oversees lifecycle management of applications 1802. In some embodiments, hardware 1804 is coupled to one or more radio units that each include one or more transmitters and one or more receivers that may be coupled to one or more antennas. Radio units may communicate directly with other hardware nodes via one or more appropriate network interfaces and may be used in combination with the virtual components to provide a virtual node with radio capabilities, such as a radio access node or a base station. In some embodiments, some signaling can be provided with the use of a control system 1812 which may alternatively be used for communication between hardware nodes and radio units.

Although the computing devices described herein (e.g., UEs, network nodes) may include the illustrated combination of hardware components, other embodiments may comprise computing devices with different combinations of components. It is to be understood that these computing devices may comprise any suitable combination of hardware and/or software needed to perform the tasks, features, functions and methods disclosed herein. Determining, calculating, obtaining or similar operations described herein may be performed by processing circuitry, which may process information by, for example, converting the obtained information into other information, comparing the obtained information or converted information to information stored in the network node, and/or performing one or more operations based on the obtained information or converted information, and as a result of said processing making a determination. Moreover, while components are depicted as single boxes located within a larger box, or nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that make up a single illustrated component, and functionality may be partitioned between separate components. For example, a communication interface may be configured to include any of the components described herein, and/or the functionality of the components may be partitioned between the processing circuitry and the communication interface. In another example, non-computationally intensive functions of any of such components may be implemented in software or firmware and computationally intensive functions may be implemented in hardware.

In certain embodiments, some or all of the functionality described herein may be provided by processing circuitry executing instructions stored on in memory, which in certain embodiments may be a computer program product in the form of a non-transitory computer- readable storage medium. In alternative embodiments, some or all of the functionality may be provided by the processing circuitry without executing instructions stored on a separate or discrete device-readable storage medium, such as in a hard-wired manner. In any of those particular embodiments, whether executing instructions stored on a non-transitory computer- readable storage medium or not, the processing circuitry can be configured to perform the described functionality. The benefits provided by such functionality are not limited to the processing circuitry alone or to other components of the computing device, but are enjoyed by the computing device as a whole, and/or by end users and a wireless network generally.

Some embodiments herein may be enumerated as below: EMBODIMENTS

Group A Embodiments

A1 . A method performed by a communication device (12), the method comprising: transmitting, to a network node (14) in a communication network (10), a registration request (16) that requests registration of a user (12U) of the communication device (12) and/or registration of a credential (12C) associated with the user (12U), wherein the registration request (16) includes subscription identifying information (12S) that identifies a subscription based on which the communication device (12) is registered with the communication network (10).

A2. The method of embodiment A1 , wherein the registration request requests registration of a user name for the user with the subscription identifying information.

A3. The method of any of embodiments A1-A2, wherein the subscription identifying information is a GPSI or an MSISDN.

A4. The method of any of embodiments A1-A3, further comprising, after registration of the user and/or the credential, transmitting an authentication request to the network node requesting authentication of the user with the credential.

A5. The method of embodiment A4, wherein the authentication request includes a user name with which the user is registered.

A6. The method of ay of embodiments A4-A5, wherein the authentication request includes information about one or more network services to which the user requests access.

A7. The method of any of embodiments A4-A6, further comprising receiving one or more tokens from the network node in response to the authentication request. A8. The method of embodiment A7, further comprising transmitting an invocation request requesting invocation of a network service on the basis of at least one of the one or more tokens, wherein the invocation request includes the at least one of the one or more tokens.

A9. The method of any of embodiments A7-A8, wherein the one or more tokens include: a user identity token that includes a username of the user and/or the subscription identifying information; and/or an access token that indicates the user and the communication device in combination are authorized to access the requested network service.

A10. The method of any of embodiments A1 -A9, wherein the credential is a public cryptographic key that is paired with a corresponding private cryptographic key.

A11 . The method of any of embodiments A1 -A10, wherein the method is performed by an application client executed on the communication device.

A12. The method of embodiment A11 , wherein the application client is an application client of a communication service provider that provides the communication network.

A13. The method of any of embodiments A1 -A12, wherein the network node implements a User AuthN Function.

A14. The method of any of embodiments A1 -A13, wherein the user is a human user.

A15. The method of any of embodiments A1 -A15, wherein the registration request is transmitted according to a W3C WebAuthN protocol or standard.

A16. The method of any of embodiments A1-A15, wherein the registration request is transmitted according to a passwordless authentication protocol.

A17. The method of any of embodiments A1-A16, wherein the credential is a password.

Group B Embodiments

B1 . A method performed by a network node (14) in a communication network, the method comprising: receiving, from a communication device (12), a credential (12C) that is attested as being associated with a user (12U) of the communication device (12); and registering the credential (12C) with the network node (14) as being associated with the user (12U) and the communication device (12) in combination.

B2. The method of embodiment B1 , wherein said registering comprises associating the credential with the user and the communication device in combination by linking: user identifying information that identifies the user; subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network; and the credential.

B3. The method of embodiment B2, wherein said linking comprises mapping the credential to a user account maintained for the user at the network node, wherein the user account for the user includes the user identifying information and the subscription identifying information.

B4. The method of any of embodiments B2-B3, wherein said linking comprises storing, in a user account maintained at the network node for the user: the user identifying information; the subscription identifying information; and a credential record for the credential.

B5. The method of any of embodiments B2-B4, wherein: the user identifying information is a user identity or a user name; and/or the subscription identifying information is a GPSI or an MSISDN;

B6. The method of embodiment B2, wherein said linking comprises storing, in a data structure at the network node, data that indicates: for the user identifying information and the credential, one or more subscription identifiers that identify one or more respective subscriptions based on which one or more communication devices are registered with the communication network; or for the subscription identifying information, one or more user-credential pairs, wherein each user-credential pair comprises a pair of user identifying information identifying the user and a credential registered as being associated with the user.

B7. The method of any of embodiments B2-B6, wherein said receiving further comprises receiving a credential identifier that identifies the credential, and wherein said registering comprises registering the credential as being identified by the credential identifier.

B8. The method of any of embodiments B1-B7, wherein said registering comprises registering the credential as being valid for authenticating the user if the user is using the communication device.

B9. The method of any of embodiments B1-B8, further comprising: after registering the credential, receiving a request to authenticate the user with the credential; and checking whether a communication device from which the request was received is the same as the communication device with which the credential is registered as being associated.

B10. The method of embodiment B9, wherein said checking comprises performing one or more of, or requesting another network node to perform one or more of: translating a network layer address of the communication device from which the request was received to a subscription identifier, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifier; and checking whether the subscription identifier is the same as a subscription identifier associated with the communication device with which the credential is registered as being associated.

B11 . The method of any of embodiments B9-B10, further comprising: deciding that authentication of the user has failed, based on the communication device from which the request was received not being the same as the communication device with which the credential is registered as being associated according to said checking; or deciding that authentication of the user has succeeded, based on at least in part on the communication device from which the request was received being the same as the communication device with which the credential is registered as being associated according to said checking.

B12. The method of any of embodiments B9-B11 , wherein the credential is a public cryptographic key paired with a corresponding private cryptographic key, wherein the request includes a cryptographic signature asserted as being created with the private cryptographic key and/or as being verifiable with the public cryptographic key, and wherein the method further comprises: attempting to verify the cryptographic signature with the public cryptographic key; and deciding whether or not authentication of the user has succeeded or failed, based at least in part on whether the attempt to verify the cryptographic signature succeeded or failed.

B13. The method of any of embodiments B9-B12, wherein the request to authenticate the user includes a credential identifier that identifies the credential to be used for authenticating the user.

B14. The method of any of embodiments B9-B13, further comprising, based on authentication of the user succeeding, generating a token and transmitting the token in a response to the request.

B15. The method of any of embodiments B1-B14, further comprising: before receiving the credential, receiving a request to register a user name for the user with subscription identifying information that identifies a subscription to the communication network, wherein the request includes the subscription identifying information; checking whether a communication device from which the request was received is registered with the communication network based on the same subscription identifying information as that included in the request; and deciding whether or not to register the user name according to the request based at least in part on said checking.

B16. The method of embodiment B15, wherein said checking comprises performing one or more of, or requesting another network node to perform one or more of: translating a network layer address of the communication device from which the request was received to subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information; and checking whether the subscription identifying information is the same as subscription identifying information included in the request.

B17. The method of any of embodiments B1-B16, wherein the credential is a public cryptographic key that is paired with a corresponding private cryptographic key. B18. The method of any of embodiments B1-B17, wherein the credential is received from an application client executed by the communication device.

B19. The method of embodiment B18, wherein the application client is an application client of a communication service provider that provides the communication network.

B20. The method of any of embodiments B1 -B19, wherein the network node implements a User AuthN Function.

B21 . The method of any of embodiments B1 -B20, wherein the user is a human user.

B22. The method of any of embodiments B1-B21 , wherein the credential is received and registered according to a W3C WebAuthN protocol or standard.

B23. The method of any of embodiments B1-B21 , wherein the credential is received and registered according to a passwordless authentication protocol.

B24. The method of any of embodiments B1-B21 , wherein the credential is a password.

B25. The method of any of embodiments B1-B24, further comprising: obtaining a user profile provisioned in the communication network for the user and the communication device in combination, wherein the user profile indicates: which one or more network services the user and the communication device in combination are nominally authorized to access; and/or one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services; and controlling authorization of the user and the communication device in combination to access one or more network services according to the user profile.

B26. The method of embodiment B25, wherein said controlling comprises: receiving, from the communication device, a request by the user to access a network service; checking whether the user and the communication device in combination are authorized to access the requested network service according to the user profile; and allowing or rejecting the request to access the requested network service depending on said checking.

B27. The method of embodiment B26, wherein said allowing or rejecting comprises allowing the request and transmitting a response to the request including an access token granting the user and the communication device in combination access to the requested network service.

B28. The method of any of embodiments B26-B27, wherein said checking comprises: checking whether the user and the communication device in combination are nominally authorized to access the requested network service according to the user profile; and/or checking whether the one or more dynamic conditions in the user profile are met.

B29. The method of any of embodiments B25-B28, wherein the one or more dynamic conditions include: a location at which the user and the communication device in combination are, or are not, authorized to access the one or more network services; and/or a time period during which the user and the communication device in combination are, or are not, authorized to access the one or more network services.

B30. The method of any of embodiments B25-B29, wherein obtaining the user profile comprises receiving the user profile from another network node that implements a user profile function.

B31 . The method of any of embodiments B1 -B30, further comprising deregistering the credential.

B32. The method of any of embodiments B1-B31 , wherein the credential is received in a registration request, wherein the registration request includes subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network.

BB1. A method performed by a network node (14) in a communication network (10), the method comprising: receiving, from a communication device (12), a credential (12C) that is attested as being associated with a user (12U) of the communication device (12); and registering the user (12U) with the network node (14), including associating the credential (12C) with the user (12U) and the communication device (12) in combination.

BB2. The method of embodiment BB1 , wherein said associating the credential with the user and the communication device in combination comprises linking: user identifying information that identifies the user; subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network; and the credential.

BB3. The method of embodiment BB2, wherein said linking comprises mapping the credential to a user account maintained for the user at the network node, wherein the user account for the user includes the user identifying information and the subscription identifying information.

BB4. The method of any of embodiments BB2-BB3, wherein said linking comprises storing, in a user account maintained at the network node for the user: the user identifying information; the subscription identifying information; and a credential record for the credential.

BB5. The method of any of embodiments BB2-BB4, wherein: the user identifying information is a user identity or a user name; and/or the subscription identifying information is a GPSI or an MSISDN;

BB6. The method of embodiment BB2, wherein said linking comprises storing, in a data structure at the network node, data that indicates: for the user identifying information and the credential, one or more subscription identifiers that identify one or more respective subscriptions based on which one or more communication devices are registered with the communication network; or for the subscription identifying information, one or more user-credential pairs, wherein each user-credential pair comprises a pair of user identifying information identifying the user and a credential registered as being associated with the user. BB7. The method of any of embodiments BB2-BB6, wherein said receiving further comprises receiving a credential identifier that identifies the credential, and wherein said registering comprises registering the credential as being identified by the credential identifier.

BB8. The method of any of embodiments BB1-BB7, wherein said registering comprises registering the user as being authenticatable by the credential if the user is using the communication device.

BB9. The method of any of embodiments BB1-BB8, further comprising: after registering the user, receiving a request to authenticate the user with the credential; and checking whether a communication device from which the request was received is the same as the communication device with which the credential is associated.

BB10. The method of embodiment BB9, wherein said checking comprises performing one or more of, or requesting another network node to perform one or more of: translating a network layer address of the communication device from which the request was received to a subscription identifier, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifier; and checking whether the subscription identifier is the same as a subscription identifying included in the request.

BB11 . The method of any of embodiments BB9-BB10, further comprising: deciding that authentication of the user has failed, based on the communication device from which the request was received not being the same as the communication device with which the credential is associated according to said checking; or deciding that authentication of the user has succeeded, based on at least in part on the communication device from which the request was received being the same as the communication device with which the credential is associated according to said checking.

BB12. The method of any of embodiments BB9-BB11 , wherein the credential is a public cryptographic key paired with a corresponding private cryptographic key, wherein the request includes a cryptographic signature asserted as being created with the private cryptographic key and/or as being verifiable with the public cryptographic key, and wherein the method further comprises: attempting to verify the cryptographic signature with the public cryptographic key; and deciding whether or not authentication of the user has succeeded or failed, based at least in part on whether the attempt to verify the cryptographic signature succeeded or failed.

BB13. The method of any of embodiments BB9-BB12, wherein the request to authenticate the user includes a credential identifier that identifies the credential to be used for authenticating the user.

BB14. The method of any of embodiments BB9-BB13, further comprising, based on authentication of the user succeeding, generating a token and transmitting the token in a response to the request.

BB15. The method of any of embodiments BB1-BB14, wherein said registering comprises: before receiving the credential, receiving a request to register a user name for the user with subscription identifying information that identifies a subscription to the communication network, wherein the request includes the subscription identifying information; checking whether a communication device from which the request was received is registered with the communication network based on the same subscription identifying information as that included in the request; and deciding whether or not to register the user name according to the request based at least in part on said checking.

BB16. The method of embodiment BB15, wherein said checking comprises: translating, or requesting another network node to translate, a network layer address of the communication device from which the request was received to subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information; and checking whether the subscription identifying information is the same as the subscription identifying information based on which the communication device from which the request was received is registered with the communication network. BB17. The method of any of embodiments BB1-BB16, wherein the credential is a public cryptographic key that is paired with a corresponding private cryptographic key.

BB18. The method of any of embodiments BB1-BB17, wherein the credential is received from an application client executed by the communication device.

BB19. The method of embodiment BB18, wherein the application client is an application client of a communication service provider that provides the communication network.

BB20. The method of any of embodiments BB1-BB19, wherein the network node implements a User AuthN Function.

BB21 . The method of any of embodiments BB1-BB20, wherein the user is a human user.

BB22. The method of any of embodiments BB1-BB21 , wherein the credential is received and the user registered according to a W3C WebAuthN protocol or standard.

BB23. The method of any of embodiments BB1-BB21 , wherein the credential is received and the user registered according to a passwordless authentication protocol.

BB24. The method of any of embodiments BB1-BB21 , wherein the credential is a password.

BB25. The method of any of embodiments B1-B24, further comprising: obtaining a user profile provisioned in the communication network for the user and the communication device in combination, wherein the user profile indicates: which one or more network services the user and the communication device in combination are nominally authorized to access; and/or one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services; and controlling authorization of the user and the communication device in combination to access one or more network services according to the user profile.

BB26. The method of embodiment BB25, wherein said controlling comprises: receiving, from the communication device, a request by the user to access a network service; checking whether the user and the communication device in combination are authorized to access the requested network service according to the user profile; and allowing or rejecting the request to access the requested network service depending on said checking.

BB27. The method of embodiment BB26, wherein said allowing or rejecting comprises allowing the request and transmitting a response to the request including an access token granting the user and the communication device in combination access to the requested network service.

BB28. The method of any of embodiments BB26-BB27, wherein said checking comprises: checking whether the user and the communication device in combination are nominally authorized to access the requested network service according to the user profile; and/or checking whether the one or more dynamic conditions in the user profile are met.

BB29. The method of any of embodiments BB25-BB28, wherein the one or more dynamic conditions include: a location at which the user and the communication device in combination are, or are not, authorized to access the one or more network services; and/or a time period during which the user and the communication device in combination are, or are not, authorized to access the one or more network services.

BB30. The method of any of embodiments BB25-BB29, wherein obtaining the user profile comprises receiving the user profile from another network node that implements a user profile function.

BB31 . The method of any of embodiments BB1-BB30, further comprising deregistering the user.

BB32. The method of any of embodiments BB1-BB31 , wherein the credential is received in a registration request, wherein the registration request includes subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network. BBB1. A method performed by a network node (14) in a communication network (10), the method comprising: obtaining a user profile (12P) provisioned in the communication network (10) for a user (12U) and a communication device (12) in combination, wherein the user profile (12P) indicates: which one or more network services the user (12U) and the communication device (12) in combination are nominally authorized to access; and/or one or more dynamic conditions under which the user (12U) and the communication device (12) in combination are, or are not, actually authorized to access the one or more network services; and controlling authorization of the user (12U) and the communication device (12) in combination to access one or more network services according to the user profile (12P).

BBB2. The method of embodiment BBB1 , wherein said controlling comprises: receiving, from the communication device, a request by the user to access a network service; checking whether the user and the communication device in combination are authorized to access the requested network service according to the user profile; and allowing or rejecting the request to access the requested network service depending on said checking.

BBB3. The method of embodiment BBB2, wherein said allowing or rejecting comprises allowing the request and transmitting a response to the request including an access token granting the user and the communication device in combination access to the requested network service.

BBB4. The method of any of embodiments BBB2-BBB3, wherein said checking comprises: checking whether the user and the communication device in combination are nominally authorized to access the requested network service according to the user profile; and/or checking whether the one or more dynamic conditions in the user profile are met.

BBB5. The method of any of embodiments BBB1-BBB4, wherein the one or more dynamic conditions include: a location at which the user and the communication device in combination are, or are not, authorized to access the one or more network services; and/or a time period during which the user and the communication device in combination are, or are not, authorized to access the one or more network services.

BBB6. The method of any of embodiments BBB1-BBB5, wherein obtaining the user profile comprises receiving the user profile from another network node that implements a user profile function.

BBB7. The method of any of embodiments BBB1-BBB6, wherein the network node implements a User AuthN Function.

BBB8. The method of any of embodiments BBB1-BBB7, wherein the user is a human user.

BBBB1. A method performed by a network node (14) in a communication network (10), the method comprising: receiving a request (16) to register a user name (12N) for a user (12U) with subscription identifying information (12S) that identifies a subscription to the communication network (10), wherein the request (16) includes the subscription identifying information (12S); checking whether a communication device from which the request (16) was received is registered with the communication network (10) based on subscription identifying information that is the same as the subscription identifying information (12S) included in the request (16); and deciding whether or not to register the user name (12N) according to the request (16) based at least in part on said checking.

BBBB2. The method of embodiment BBBB1 , wherein said checking comprises performing one or more of, or requesting another network node to perform one or more of: determining the subscription identifying information based on which the communication device is registered with the communication network by translating a network layer address of the communication device to the subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information; and checking whether the determined subscription identifying information is the same as the subscription identifying information included in the request. BBBB3. The method of any of embodiments BBBB1-BBBB2, wherein said deciding comprises deciding not to register the user name according to the request, responsive to determining that the communication device from which the request was received is not registered with the communication network based on subscription identifying information that is the same as the subscription identifying information included in the request.

BBBB4. The method of any of embodiments BBBB1-BBBB3, wherein the network node implements a User AuthN Function.

BBBB5. The method of any of embodiments BBBB1-BBBB4, wherein the user is a human user.

Group C Embodiments

C1. A communication device configured to perform any of the steps of any of the Group A embodiments.

C2. A communication device comprising processing circuitry configured to any of the steps of any of the Group A embodiments.

C3. A communication device comprising: communication circuitry; and processing circuitry configured to perform any of the steps of any of the Group A embodiments.

C4. A communication device comprising: processing circuitry configured to perform any of the steps of any of the Group A embodiments; and power supply circuitry configured to supply power to the communication device.

C5. A communication device comprising: processing circuitry and memory, the memory containing instructions executable by the processing circuitry whereby the communication device is configured to perform any of the steps of any of the Group A embodiments.

C6. The communication device of any of embodiments C1-C5, wherein the communication device is a wireless communication device. C7. A user equipment (UE) comprising: an antenna configured to send and receive wireless signals; radio front-end circuitry connected to the antenna and to processing circuitry, and configured to condition signals communicated between the antenna and the processing circuitry; the processing circuitry being configured to perform any of the steps of any of the Group A embodiments; an input interface connected to the processing circuitry and configured to allow input of information into the UE to be processed by the processing circuitry; an output interface connected to the processing circuitry and configured to output information from the UE that has been processed by the processing circuitry; and a battery connected to the processing circuitry and configured to supply power to the UE.

C8. A computer program comprising instructions which, when executed by at least one processor of a communication device, causes the communication device to perform any of the steps of any of the Group A embodiments.

C9. A carrier containing the computer program of embodiment C7, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

C10. A network node configured to perform any of the steps of any of the Group B embodiments.

C11 . A network node comprising processing circuitry configured to perform any of the steps of any of the Group B embodiments.

C12. A network node comprising: communication circuitry; and processing circuitry configured to perform any of the steps of any of the Group B embodiments.

C13. A network node comprising: processing circuitry configured to perform any of the steps of any of the Group B embodiments; power supply circuitry configured to supply power to the network node.

C14. A network node comprising: processing circuitry and memory, the memory containing instructions executable by the processing circuitry whereby the network node is configured to perform any of the steps of any of the Group B embodiments.

C15. The network node of any of embodiments C10-C14, wherein the network node is a base station.

C16. A computer program comprising instructions which, when executed by at least one processor of a network node, causes the network node to perform any of the steps of any of the Group B embodiments.

C17. The computer program of embodiment C16, wherein the network node is a base station.

C18. A carrier containing the computer program of any of embodiments C16-C17, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

REFERENCES

1. 3GPP TR 22.856 v19.2.0

2. 3GPP TS 22.156 v10.1.0

3. 3GPP TR 33.721 vO.1.0

4. 3GPP TR 33.700-32 v0.1 .0

ABBREVIATIONS

At least some of the following abbreviations may be used in this disclosure. If there is an inconsistency between abbreviations, preference should be given to how it is used above. If listed multiple times below, the first listing should be preferred over any subsequent listing(s).

3GPP 3rd Generation Partnership Project

5G 5th Generation

6G 6^th Generation

ABS Almost Blank Subframe

ARQ Automatic Repeat Request AWGN Additive White Gaussian Noise BCCH Broadcast Control Channel BCH Broadcast Channel CA Carrier Aggregation CC Carrier Component CCCH SDU Common Control Channel SDU CDMA Code Division Multiplex Access CGI Cell Global Identity CIR Channel Impulse Response CP Cyclic Prefix CPICH Common Pilot Channel CQI Channel Quality Information C-RNTI Cell RNTI CSI Channel State Information DCCH Dedicated Control Channel DL Downlink DM Demodulation DMRS Demodulation Reference Signal DRX Discontinuous Reception DTX Discontinuous Transmission DTCH Dedicated Traffic Channel DUT Device Under Test E-CID Enhanced Cell-ID (positioning method) Ec/No Received energy per chip divided by the power density in the band eMBMS Evolved Multimedia Broadcast Multicast Services ECGI Evolved CGI eNB E-UTRAN NodeB ePDCCH Enhanced Physical Downlink Control Channel E-SMLC Evolved Serving Mobile Location Center E-UTRAN Evolved Universal Terrestrial Radio Access Network FDD Frequency Division Duplex FFS For Further Study gNB Base station in NR GNSS Global Navigation Satellite System HARQ Hybrid Automatic Repeat Request HO Handover HSPA High Speed Packet Access HRPD High Rate Packet Data LOS Line of Sight LPP LTE Positioning Protocol LTE Long-Term Evolution MAC Medium Access Control MAC Message Authentication Code MBSFN Multimedia Broadcast Multicast Service Single Frequency Network MBSFN ABS MBSFN Almost Blank Subframe MDT Minimization of Drive Tests MIB Master Information Block MME Mobility Management Entity MSC Mobile Switching Center NPDCCH Narrowband Physical Downlink Control Channel NR New Radio OCNG OFDMA Channel Noise Generator OFDM Orthogonal Frequency Division Multiplexing OFDMA Orthogonal Frequency Division Multiple Access OSS Operations Support System OTDOA Observed Time Difference of Arrival O&M Operation and Maintenance PBCH Physical Broadcast Channel P-CCPCH Primary Common Control Physical Channel PCell Primary Cell PCFICH Physical Control Format Indicator Channel PDCCH Physical Downlink Control Channel PDCP Packet Data Convergence Protocol PDP Power Delay Profile PDSCH Physical Downlink Shared Channel PGW Packet Gateway PHICH Physical Hybrid-ARQ Indicator Channel PLMN Public Land Mobile Network PMI Precoding Matrix Indicator PRACH Physical Random Access Channel PRS Positioning Reference Signal PSS Primary Synchronization Signal PUCCH Physical Uplink Control Channel PUSCH Physical Uplink Shared Channel RACH Random Access Channel QAM Quadrature Amplitude Modulation RAN Radio Access Network RAT Radio Access Technology RLC Radio Link Control RLM Radio Link Monitoring RNC Radio Network Controller RNTI Radio Network Temporary Identifier RRC Radio Resource Control RRM Radio Resource Management RS Reference Signal RSCP Received Signal Code Power RSRP Reference Symbol Received Power OR Reference Signal Received Power

RSRQ Reference Signal Received Quality OR Reference Symbol Received Quality

RSSI Received Signal Strength Indicator RSTD Reference Signal Time Difference SCH Synchronization Channel SCell Secondary Cell SDAP Service Data Adaptation Protocol SDU Service Data Unit SFN System Frame Number SGW Serving Gateway SI System Information SIB System Information Block SNR Signal to Noise Ratio SON Self-Organizing Network SS Synchronization Signal SSS Secondary Synchronization Signal TDD Time Division Duplex TDOA Time Difference of Arrival TOA Time of Arrival TSS Tertiary Synchronization Signal TTI Transmission Time Interval UE User Equipment UL Uplink UMTS Universal Mobile Telecommunications System USIM Universal Subscriber Identity Module UTDOA Uplink Time Difference of Arrival WCDMA Wideband CDMA WLAN Wireless Local Area Network

Claims

1. A method performed by a communication device (12), the method comprising: transmitting (800), to a network node (14) in a communication network (10), a registration request (16) that requests registration of a user (12U) of the communication device (12) and/or registration of a credential (12C) associated with the user (12U), wherein the registration request (16) includes subscription identifying information (12S) that identifies a subscription based on which the communication device (12) is registered with the communication network (10).

2. The method of claim 1 , wherein the registration request (16) requests registration of a user name (12N) for the user (12U) with the subscription identifying information (12S).

3. The method of any of claims 1-2, wherein the subscription identifying information (12S) is a GPSI or an MSISDN.

4. The method of any of claims 1-3, further comprising, after registration of the user (12U) and/or the credential (12C), transmitting (810) an authentication request (30) to the network node (14) requesting authentication of the user (12U) with the credential (12C).

5. The method of claim 4, wherein the authentication request (30) includes: a user name (12N) with which the user (12U) is registered; a credential identifier (12C-ID) that identifies the credential to be used for authenticating the user; and/or information about one or more network services to which the user requests access.

6. The method of any of claims 4-5, further comprising receiving (820) one or more tokens (34) from the network node (14) in response to the authentication request (30).

7. The method of claim 6, further comprising transmitting (830) an invocation request requesting invocation of a network service on the basis of at least one of the one or more tokens (34), wherein the invocation request includes the at least one of the one or more tokens (34).

8. The method of any of claims 6-7, wherein the one or more tokens include: a user identity token that includes a username of the user and/or the subscription identifying information; and/or an access token that indicates the user and the communication device in combination are authorized to access the requested network service.

9. The method of any of claims 1-8, wherein the credential (12C) is a public cryptographic key that is paired with a corresponding private cryptographic key.

10. The method of any of claims 1-9, wherein the method is performed by an application client executed on the communication device (12).

11 . The method of claim 10, wherein the application client is an application client of a communication service provider that provides the communication network (10).

12. The method of any of claims 1-11 , wherein the network node (14) implements a User AuthN Function.

13. The method of any of claims 1-12 wherein the user (12U) is a human user.

14. The method of any of claims 1-13, wherein the registration request (16) is transmitted according to a W3C WebAuthN protocol or standard, and/or a passwordless authentication protocol.

15. The method of any of claims 1-14, wherein the credential (12C) is a password.

16. A method performed by a network node (14) in a communication network (10), the method comprising: receiving (900), from a communication device (12), a credential (12C) that is attested as being associated with a user (12U) of the communication device (12); and registering (910) the credential (12C) with the network node (14) as being associated with the user (12U) and the communication device (12) in combination.

17. The method of claim 16, wherein said registering comprises associating the credential

(12C) with the user (12U) and the communication device (12) in combination by linking: user identifying information (12F) that identifies the user (12U); subscription identifying information (12S) that identifies a subscription based on which the communication device is registered with the communication network; and the credential (12C).

18. The method of claim 17, wherein said linking comprises mapping the credential (12C) to a user account maintained for the user (12U) at the network node, wherein the user account for the user includes the user identifying information (12F) and the subscription identifying information (12S), and/or storing, in a user account maintained at the network node for the user: the user identifying information (12F); the subscription identifying information (12S); and a credential record for the credential (12C).

19. The method of any of claims 17-18, wherein: the user identifying information (12F) is a user identity or a user name (12N); and/or the subscription identifying information (12S) is a GPSI or an MSISDN;

20. The method of claim 17, wherein said linking comprises storing, in a data structure at the network node (14), data that indicates: for the user identifying information (12F) and the credential (12C), one or more subscription identifiers that identify one or more respective subscriptions based on which one or more communication devices are registered with the communication network; or for the subscription identifying information (12S), one or more user-credential pairs, wherein each user-credential pair comprises a pair of user identifying information identifying the user and a credential registered as being associated with the user.

21 . The method of any of claims 17-20, wherein said receiving further comprises receiving a credential identifier (12C-ID) that identifies the credential, and wherein said registering comprises registering the credential (12C) as being identified by the credential identifier.

22. The method of any of claims 16-21 , wherein said registering comprises registering the credential (12C) as being valid for authenticating the user (12U) if the user is using the communication device (12).

23. The method of any of claims 16-22, further comprising: after registering the credential (12C), receiving (920) a request (30) to authenticate the user with the credential; and checking (930) whether a communication device from which the request was received is one of the communication devices with which the credential is registered as being associated.

24. The method of claim 23, wherein said checking comprises performing one or more of, or requesting another network node to perform one or more of: translating a network layer address of the communication device from which the request was received to a subscription identifier, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifier; and checking whether the subscription identifier is the same as a subscription identifier associated with one of the communication devices with which the credential is registered as being associated.

25. The method of any of claims 23-24, further comprising: deciding that authentication of the user has failed, based on the communication device from which the request was received not being one of the communication devices with which the credential is registered as being associated according to said checking; or deciding that authentication of the user has succeeded, based on at least in part on the communication device from which the request was received being one of the communication devices with which the credential is registered as being associated according to said checking.

26. The method of any of claims 23-25, wherein the credential (12C) is a public cryptographic key paired with a corresponding private cryptographic key, wherein the request includes a cryptographic signature asserted as being created with the private cryptographic key and/or as being verifiable with the public cryptographic key, and wherein the method further comprises: attempting to verify the cryptographic signature with the public cryptographic key; and deciding whether or not authentication of the user has succeeded or failed, based at least in part on whether the attempt to verify the cryptographic signature succeeded or failed.

27. The method of any of claims 23-26, wherein the request to authenticate the user (12U) includes a user name (12N) with which the user (12U) is registered; a credential identifier (12C-ID) that identifies the credential (12C) to be used for authenticating the user (12U); and/or information about one or more network services to which the user requests access.

28. The method of any of claims 23-27, further comprising, based on authentication of the user succeeding, generating (940) a token (34) and transmitting the token in a response to the request (30).

29. The method of any of claims 16-28, further comprising: before receiving the credential (12C), receiving (950) a request (16) to register a user name (12N) for the user with subscription identifying information that identifies a subscription to the communication network, wherein the request includes the subscription identifying information (12S); checking (960) whether a communication device from which the request was received is registered with the communication network based on the same subscription identifying information as that included in the request; and deciding (970) whether or not to register the user name according to the request based at least in part on said checking.

30. The method of claim 29, wherein said checking comprises performing one or more of, or requesting another network node to perform one or more of: translating a network layer address of the communication device from which the request was received to subscription identifying information, based on the network layer address having been allocated by the communication network to a communication device associated with that subscription identifying information; and checking whether the subscription identifying information is the same as subscription identifying information included in the request.

31 . The method of any of claims 16-30, wherein the credential (12C) is a public cryptographic key that is paired with a corresponding private cryptographic key; and/or is received from an application client executed by the communication device, wherein the application client is an application client of a communication service provider that provides the communication network.

32. The method of any of claims 16-31 , wherein the network node implements a User AuthN Function.

33. The method of any of claims 16-32, wherein the user is a human user.

34. The method of any of claims 16-33, wherein the credential (12C) is received and registered according to a W3C WebAuthN protocol or standard; the credential (12C) is received and registered according to a passwordless authentication protocol; or the credential (12C) is a password.

35. The method of any of claims 16-34, further comprising: obtaining (980) a user profile (12P) provisioned in the communication network for the user (12U) and the communication device (12) in combination, wherein the user profile indicates: which one or more network services the user and the communication device in combination are nominally authorized to access; and/or one or more dynamic conditions under which the user and the communication device in combination are, or are not, actually authorized to access the one or more network services; and controlling (995) authorization of the user and the communication device in combination to access one or more network services according to the user profile.

36. The method of claims 35, wherein said controlling comprises: receiving, from the communication device, a request (36) by the user (12U) to access a network service; checking whether the user and the communication device in combination are authorized to access the requested network service according to the user profile; and allowing or rejecting the request to access the requested network service depending on said checking.

37. The method of claim 36, wherein said allowing or rejecting comprises allowing the request and transmitting a response to the request including an access token granting the user and the communication device in combination access to the requested network service.

38. The method of any of claims 36-37, wherein said checking comprises: checking whether the user and the communication device in combination are nominally authorized to access the requested network service according to the user profile; and/or checking whether the one or more dynamic conditions in the user profile are met.

39. The method of any of claims 35-38, wherein the one or more dynamic conditions include: a location at which the user and the communication device in combination are, or are not, authorized to access the one or more network services; and/or a time period during which the user and the communication device in combination are, or are not, authorized to access the one or more network services.

40. The method of any of claims 35-39, wherein obtaining the user profile comprises receiving the user profile from another network node that implements a user profile function.

41 . The method of any of claims 16-40, further comprising deregistering the credential.

42. The method of any of claims 16-41 , wherein the credential is received in a registration request, wherein the registration request includes subscription identifying information that identifies a subscription based on which the communication device is registered with the communication network.

43. A communication device (12) configured to perform any of the steps of any of the claims 1-15.

44. The communication device (12) of claim 43, wherein the communication device is a wireless communication device.

45. A computer program comprising instructions which, when executed by at least one processor of a communication device, causes the communication device to perform any of the steps of any of the claims 1-15.

46. A carrier containing the computer program of claim 45, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

47. A network node (14) configured to perform any of the steps of any of the claims 16-42.

48. The network node (14) of claim 47, wherein the network node is a network function, NF, a network entity, NE, or an application function, AF.

49. A computer program comprising instructions which, when executed by at least one processor of a network node, causes the network node to perform any of the steps of any of the claims 16-42.

50. A carrier containing the computer program of any of claims 16-42, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.