WO2025122043A1

WO2025122043A1 - User authentication in a communication network

Info

Publication number: WO2025122043A1
Application number: PCT/SE2024/050150
Authority: WO
Inventors: Emiliano Merino Vazquez; Manuel Couceiro Dominguez; Miguel Angel MUÑOZ DE LA TORRE ALONSO
Original assignee: Telefonaktiebolaget LM Ericsson AB
Current assignee: Telefonaktiebolaget LM Ericsson AB
Priority date: 2023-12-07
Filing date: 2024-02-15
Publication date: 2025-06-12
Anticipated expiration: 2026-06-07

Abstract

A session controller (18) is configured for use in a communication network (10) The session controller (18) receives a request (22) to establish or update a communication session (16) between a first communication device (12-1) and a second communication device (12-2) via the communication network (10). The session controller (18) obtains a subscriber profile (14P) for a subscriber (14) that is associated with the first communication device (12-1) and that has a subscription to the communication network (10). The session controller (18) makes a decision, based on the subscriber profile (14P), whether or not to require a user (12-1U, 12-2U) of the first or the second communication device (12-1, 12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16) according to the request (22). The session controller (18) controls establishment or continuation of the communication session (16) to require, or not require, authentication of the user, according to the decision.

Description

USER AUTHENTICATION IN A COMMUNICATION NETWORK

TECHNICAL FIELD

The present application relates generally to a communication network, and relates more particularly to user authentication in such a network.

BACKGROUND

A communication network that provides communication service on a subscription basis allocates subscription credentials to each subscription, and ties each subscription to a respective communication device. The communication network in this regard provisions a communication device with certain subscription credentials by storing those subscription credentials onto an integrated circuit card, Subscriber Identity Module (SIM), or other tamperresistant storage of the communication device. The communication network can thereafter authenticate the communication device on the basis of the subscription credentials stored on the device. This authentication that the communication network performs thereby amounts to authentication of the communication device, not authentication of a user of the communication device. Indeed, the communication network provides communication service to the communication device so long as the communication device presents valid subscription credentials to the communication network, no matter the identity of the user actually using that communication device.

Known approaches to authenticating the user of a communication device leave such user authentication to either the communication device itself or the communicating parties. A communication device may for instance remain in a locked state that provides no or limited functionality, unless and until a user authenticates himself or herself to the device with a personal identification number (PIN), a thumbprint, or facial recognition. Problematically, though, this requires one communicating party to trust that the communication device of the intended other communicating party has activated user authentication and has not been compromised. Alternatively or additionally, one communicating party may for example require the other communicating party to say a passphrase or enter a PIN, e.g., as a precondition for accessing a bank account, medical records, etc. This approach however burdens the communicating parties themselves with securely storing user PINs, maintaining user authentication systems and procedures, etc.

These disadvantages with known approaches to user authentication create obstacles that jeopardize their use, effectiveness, and/or reliability. This proves particularly problematic in the face of emerging threats such as artificial intelligence (Al) voice cloning which has the capability to reproduce a user’s voice and hold a conversation to impersonate the user.

SUMMARY

An object of some embodiments herein is to enable improved use, effectiveness, and/or reliability of user authentication in a communication network. Alternatively or additionally, an object of some embodiments herein is to protect against voice cloning in a communication network.

Some embodiments herein exploit a communication network for authenticating a user of a communication device. One or more such embodiments require a user of a communication device to authenticate himself or herself to the communication network, e.g., in addition to authentication of the communication device itself, before establishing or continuing a communication session via the communication network. By equipping the communication network to perform user authentication in this way, some embodiments advantageously relieve the communication device and/or the communicating parties from the burden of such authentication, as well as bolster the effectiveness and/or reliability of user authentication.

Moreover, some embodiments herein equip a communication network to make a decision on whether or not to require user authentication for a communication session. The communication network in one or more such embodiments makes this decision based on a subscriber profile for a subscriber. The subscriber profile may for example indicate whether or not a user of a communication device associated with the subscriber must authenticate himself or herself to the communication network as a prerequisite for the communication device to establish (e.g., initiate or participate in) any communication session (or any communication session of a certain type). The subscriber profile in these and other embodiments may thereby represent the subscriber’s user authentication requirements in a persistent way, to be applied to any communication sessions (or any communication sessions of a certain type) involving the subscriber’s communication device, as those sessions occur. This advantageously reduces obstacles to use of user authentication because, after the subscriber’s profile is provisioned, the subscriber need not take any special action to require user authentication, e.g., it need not be activated manually every session through user selection or by calling any specific phone number.

Some embodiments nonetheless allow for triggering a requirement for user authentication on-demand, even mid-session. The communication network in this case may make its decision about whether or not to require a user of a communication device to authenticate himself or herself, based on whether another communication device is authorized to trigger such user authentication requirement. Some embodiments in this regard further exploit a subscriber’s profile for indicating whether or not a communication device associated with the subscriber is authorized to trigger the communication network to require a user of another communication device to authenticate himself or herself to the communication network as a prerequisite for continuing any communication session (or any communication session of a certain type) with the communication device. The subscriber profile in such embodiments may thereby represent the subscriber’s user authentication triggering permissions in a persistent way, to be applied to any communication sessions (or any communication sessions of a certain type) involving the subscriber’s communication device, as those sessions occur. Some embodiments advantageously improve the use, effectiveness, and/or reliability of user authentication in a communication network. This in turn improves protection against threats such as artificial intelligence (Al) voice cloning.

More particularly, some embodiments herein include a method performed by a session controller in a communication network. The method comprises receiving a request to establish or update a communication session between a first communication device and a second communication device via the communication network. The method also comprises obtaining a subscriber profile for a subscriber that is associated with the first communication device and that has a subscription to the communication network. The method also comprises making a decision, based on the subscriber profile, whether or not to require a user of the first or the second communication device to authenticate himself or herself to the communication network as a prerequisite for establishing or continuing the communication session according to the request. The method also comprises controlling establishment or continuation of the communication session to require, or not require, authentication of the user, according to the decision.

In some embodiments, the subscriber profile indicates whether or not a user of the first communication device must authenticate himself or herself to the communication network as a prerequisite for the first communication device to establish any communication session or any communication session of a certain type.

In some embodiments, the request is a request from the first communication device to initiate the communication session. In this case, the decision is a decision as to whether or not to require a user of the first communication device to authenticate himself or herself to the communication network as a prerequisite for initiating the communication session. In other embodiments, the request may be a request from the second communication device to initiate the communication session, in which case the decision is a decision as to whether or not to require a user of the first communication device to authenticate himself or herself to the communication network as a prerequisite for establishing the communication session.

In some embodiments, the decision is to require a user of the first or the second communication device to authenticate himself or herself to the communication network as a prerequisite for establishing or continuing the communication session. In one such embodiment, said controlling comprises triggering an authentication server to attempt to authenticate the user, receiving a message from the authentication server indicating whether or not the authentication server authenticated the user, and handling or responding to the request in dependence on the message from the authentication server. In one embodiment, the message from the authentication server indicates the authentication server authenticated the user, and said handling or responding comprises: (i) forwarding the message to another network node in the same or a different communication network, or to the first or second communication device, wherein the message is the request as modified by the authentication server to indicate that the user is authenticated; or (ii) transmitting a response to the request indicating that the user is authenticated. Alternatively or additionally, in some embodiments, said triggering comprises: (i) modifying the request to indicate that a user of the first or the second communication device is required to authenticate himself or herself to the communication network as a prerequisite for establishing or continuing the communication session; and (ii) transmitting the request, as modified, to the authentication server.

In some embodiments, the subscriber profile indicates whether or not the first communication device is authorized to trigger the communication network to require a user of another communication device to authenticate himself or herself to the communication network as a prerequisite for continuing any communication session with the first communication device or any communication session of a certain type with the first communication device. In one such embodiment, the request is a request from the first communication device to update the communication session to trigger the communication network to require a user of the second communication device to authenticate himself or herself to the communication network as a prerequisite for continuing the communication session, and the decision is a decision as to whether or not to require a user of the second communication device to authenticate himself or herself to the communication network as a prerequisite for continuing the communication session.

In some embodiments, the subscriber profile indicates whether or not a protection mode is to be activated for any communication session, or any communication session of a certain type, that the first communication device establishes, or indicates whether or not the subscriber is authorized to activate the protection mode for any communication session or any communication session of the certain type. In this case, when activated, the protection mode requires a user of the first communication device to authenticate himself or herself to the communication network as a prerequisite for the first communication device to establish any communication session or any communication session of the certain type. In one embodiment, the subscriber profile also indicates: (i) whether data connectivity to a data network is blocked for the subscription while the protection mode is activated; and/or (ii) whether text messaging is blocked for the subscription while the protection mode is activated.

In some embodiments, the session controller implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, and the subscriber profile is an IMS User Profile.

In some embodiments, the communication session is a voice communication session.

In some embodiments, the method further comprises receiving the subscriber profile from a Home Subscriber Server, HSS. In one embodiment, the subscriber profile is received in a Cx-Push-Profile-Request that includes a field indicating whether or not a protection mode is activated, wherein when activated the protection mode requires a user of the first communication device to authenticate himself or herself to the communication network as a prerequisite for the first communication device to establish any communication session or any communication session of a certain type.

In some embodiments, the decision is a decision of whether or not to require the user to authenticate himself or herself with one or more authentication factors proving that the user knows a secret of the subscriber, that the user has a device or account of the subscriber, and/or that the user has biometric characteristics of the subscriber.

In some embodiments, the request is a Session Initiation Protocol, SIP, INVITE or a SIP RE-INVITE.

Embodiments herein also include a method performed by an authentication server in a communication network. The method comprises receiving, from a session controller in the communication network, a request to establish or update a communication session between a first communication device and a second communication device via the communication network, wherein the request indicates a user of the first or the second communication device must authenticate himself or herself to the communication network as a prerequisite for establishing or continuing the communication session. The method also comprises attempting to authenticate the user to the communication network. The method further comprises transmitting, to the session controller, a message that indicates whether or not the authentication server authenticated the user.

In some embodiments, the request indicates a user of the first communication device must authenticate himself or herself to the communication network as a prerequisite for the first communication device to establish any communication session or any communication session of a certain type. In one such embodiment, the request is a request that originated from the first communication device to initiate the communication session, and wherein the request indicates a user of the first communication device must authenticate himself or herself to the communication network as a prerequisite for initiating the communication session. In another embodiment, the request is a request that originated from the second communication device to initiate the communication session, and wherein the request indicates a user of the first communication device must authenticate himself or herself to the communication network as a prerequisite for establishing the communication session. Either way, in some embodiments, the method comprises modifying the request to indicate that the authentication server authenticated the user, and wherein the message is or includes the request as modified.

In some embodiments, the request originated from the first communication device and indicates that a user of the second communication device must authenticate himself or herself to the communication network as a prerequisite for continuing the communication session.

In some embodiments, the request indicates a user of the first or the second communication device must authenticate himself or herself to the communication network as a prerequisite for establishing or continuing the communication session, by indicating whether or not a protection mode is activated for the communication session, wherein when activated the protection mode requires a user of the first or the second communication device to authenticate himself or herself to the communication network as a prerequisite for establishing or continuing in any communication session or any communication session of a certain type.

In some embodiments, the session controller implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, wherein the request is a Session Initiation Protocol, SIP, INVITE or a SIP RE-INVITE, and wherein the subscriber profile is an IMS user profile.

In some embodiments, attempting to authenticate the user to the communication network comprises: (i) requesting the user to provide one or more authentication factors proving that the user knows a secret of the subscriber, that the user has a device or account of the subscriber, and/or that the user has biometric characteristics of the subscribe; (ii) receiving the one or more authentication factors from the user; and (iii) checking a validity of the one or more authentication factors received.

Embodiments herein also include a method performed by a first communication device. The method comprises establishing a communication session between the first communication device and a second communication device via a communication network. The method also comprises, after establishing the communication session, transmitting, to a session controller in the communication network, a request to update the communication session to trigger the communication network to require a user of the second communication device to authenticate himself or herself to the communication network as a prerequisite for continuing the communication session. The method further comprises receiving, from the session controller, a result of whether or not the communication network authenticated the user of the second communication device.

In some embodiments, the request to update the communication session is, or includes, a request to activate a protection mode for the communication session, wherein when activated for the communication session the protection mode requires a user of the second communication device to authenticate himself or herself to the communication network as a prerequisite for continuing in the communication session.

In some embodiments, the session controller implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, and wherein the request is a Session Initiation Protocol, SIP, RE-INVITE.

Embodiments herein also include a method performed by a communication device. The method comprises transmitting, to a configuration server in a communication network, a request that the communication network require a user of the communication device to authenticate himself or herself to the communication network as a prerequisite for establishing a communication session. In some embodiments, the communication device is associated with a subscriber that has a subscription to the communication network, and wherein the request is a request that the communication network configure a subscription profile for the subscriber to indicate that a user of the communication device must authenticate himself or herself to the communication network as a prerequisite for establishing any communication session or any communication session of a certain type. In one embodiment, the subscription profile is an Internet Protocol, IP, Multimedia Subsystem, IMS, User Profile.

In some embodiments, the request is a request for the communication network to activate a protection mode for any communication session, or any communication session of a certain type, that the first communication device establishes, wherein, when activated, the protection mode requires a user of the communication device to authenticate himself or herself to the communication network as a prerequisite for the communication device to establish any communication session or any communication session of the certain type.

In some embodiments, the request further requests the communication network to block data connectivity and/or text messaging for the subscription while the protection mode is activated.

In some embodiments, the communication device is associated with a subscriber that has a subscription to the communication network, and wherein the request is a request that the communication network require, as a prerequisite for establishing a communication session, a user of the communication device to authenticate himself or herself to the communication network with one or more authentication factors proving that the user knows a secret of the subscriber, that the user has a device or account of the subscriber, and/or that the user has biometric characteristics of the subscriber. In one embodiment, the request indicates which one or more authentication factors are to be required for authentication of the user to the communication network.

In some embodiments, the configuration server is an extensible Markup Language, XML, Configuration Application Protocol, XCAP, server.

Embodiment also include method performed by a network node in a communication network. The method comprises receiving a request that the communication network require a user of a communication device to authenticate himself or herself to the communication network as a prerequisite for establishing a communication session.

In some embodiments, the communication device is associated with a subscriber that has a subscription to the communication network, and wherein the request is a request that the communication network provision a subscription profile for the subscriber to indicate that a user of the communication device must authenticate himself or herself to the communication network as a prerequisite for establishing any communication session or any communication session of a certain type. In one embodiment, the subscription profile is an Internet Protocol, IP, Multimedia Subsystem, IMS, user profile.

In some embodiments, the request is a request for the communication network to activate a protection mode for any communication session, or any communication session of a certain type, that the first communication device establishes, wherein, when activated, the protection mode requires a user of the communication device to authenticate himself or herself to the communication network as a prerequisite for the communication device to establish any communication session or any communication session of the certain type. In one embodiment, the request further requests the communication network to block data connectivity and/or text messaging for the subscription while the protection mode is activated.

In some embodiments, the communication device is associated with a subscriber that has a subscription to the communication network, and wherein the request is a request that the communication network require, as a prerequisite for establishing a communication session, a user of the communication device to authenticate himself or herself to the communication network with one or more authentication factors proving that the user knows a secret of the subscriber, that the user has a device or account of the subscriber, and/or that the user has biometric characteristics of the subscriber. In some embodiments, the request indicates which one or more authentication factors are to be required for authentication of the user to the communication network.

In some embodiments, the network node serves as configuration server, wherein the configuration server is an extensible Markup Language, XML, Configuration Application Protocol, XCAP, server.

In some embodiments, the method further comprises: (i) deciding whether or not to accept the request, based on a syntax validity of the request and/or conditions in the communication network; and (ii) based on deciding to accept the request, propagating the request to a subscriber profile management server in the communication network.

In some embodiments, the network node serves as a subscriber profile management server. In one embodiment, the communication device is associated with a subscriber that has a subscription to the communication network, and wherein the method further comprises provisioning a subscription profile for the subscriber to indicate that a user of the communication device must authenticate himself or herself to the communication network as a prerequisite for establishing any communication session or any communication session of a certain type. In some embodiments, the method further comprises checking whether or not the subscriber is authorized to make the request, wherein said provisioning is performed based on the subscriber being authorized to make the request.

Embodiments also include a method performed by a policy control server in a communication network. The method comprises receiving, from a data repository in the communication network, information indicating: (i) whether or not a protection mode is activated for a subscriber that has a subscription to the communication network, wherein, when activated, the protection mode requires a user of a communication device associated with the subscription to authenticate himself or herself to the communication network as a prerequisite for the communication device to establish or continue any communication session or any communication session of the certain type; and/or (ii) whether or not the communication network is to block data connectivity and/or text messaging for the subscription while the protection mode is activated. The method also comprises, while the protection mode is activated for the subscription, blocking or allowing data connectivity and/or text messaging for the subscription according to the received information.

In some embodiments, the information indicates that the protection mode is activated for the subscriber and that the communication network is to block data connectivity for the subscription while the protection mode is activated, and wherein said blocking comprises, responsive to receiving the information, tearing down any existing data connections for the subscription.

Embodiments herein also include corresponding apparatus, computer programs, and carriers of those computer programs.

Of course, the present disclosure is not limited to the above features and advantages. Indeed, those skilled in the art will recognize additional features and advantages upon reading the following detailed description, and upon viewing the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a block diagram of a communication network configured to require user authentication according to some embodiments.

Figure 2 is a call flow diagram of a procedure for a communication network to require user authentication according to some embodiments.

Figure 3A is a call flow diagram of a procedure for a communication network to require authentication of a user of a communication device as a prerequisite for that communication device to initiate a communication session according to some embodiments.

Figure 3B is a call flow diagram of a procedure for a communication network to require authentication of a user of a communication device as a prerequisite for that communication device to participate in a communication session according to some embodiments.

Figure 3C is a call flow diagram of a procedure for a communication network to require authentication of a target user of a target communication device as a prerequisite for another communication device to continue participating in a communication session with the target communication device, according to some embodiments.

Figure 4 is a call flow diagram of a procedure for a communication network to configure a subscriber profile regarding user authentication requirements according to some embodiments. Figure 5 is a call flow diagram of a procedure for a communication network to configure a subscriber profile regarding user authentication requirements in an example for an IMS network.

Figure 6 is a call flow diagram of a procedure for a communication network to require authentication of a user of a communication device as a prerequisite for that communication device to initiate a communication session, in an example for an IMS network.

Figure 7 is a call flow diagram of a procedure for a communication network to require authentication of a target user of a target communication device as a prerequisite for another communication device to continue participating in a communication session with the target communication device, in an example for an IMS network.

Figure 8 is a logic flow diagram of a method performed by a session controller in accordance with particular embodiments.

Figure 9 is a logic flow diagram of a method performed by an authentication server in accordance with particular embodiments.

Figure 10 is a logic flow diagram of a method performed by a first communication device in accordance with particular embodiments.

Figure 11 is a logic flow diagram of a method performed by a communication device in accordance with particular embodiments.

Figure 12 is a logic flow diagram of a method performed by a network node in accordance with particular embodiments.

Figure 13 is a logic flow diagram of a method performed by a policy control server in accordance with particular embodiments.

Figure 14 is a block diagram of a communication device in accordance with particular embodiments.

Figure 15 is a block diagram of a session controller in accordance with particular embodiments.

Figure 16 is a block diagram of an authentication server in accordance with particular embodiments.

Figure 17 is a block diagram of a network node in accordance with particular embodiments.

Figure 18 is a block diagram of a policy control server in accordance with particular embodiments.

DETAILED DESCRIPTION

Figure 1 shows a communication network 10 according to some embodiments. The communication network 10 may for instance be a 5G or 6G communication network, e.g., as otherwise specified by the 3^rd Generation Partnership Project (3GPP). The communication network 10 is configured to provide communication service to communication devices, including communication device 12-1 and/or communication device 12-2. In some embodiments, the communication service includes an Internet Protocol (IP) multimedia service, such as Voice over IP (VoIP), in which case the communication network 10 includes an IP Multimedia Subsystem (IMS) for providing such service.

The communication network 10 provides communication service on a subscription basis. As illustrated in Figure 1, a subscriber 14 to the communication network 10 has a subscription 14S to the communication network 10, e.g., according to a contractual agreement between the subscriber 14 and the operator of the communication network 10. In the example of Figure 1, the subscriber 14 owns or is otherwise associated with communication device 12-1 , which receives communication service from the communication network 10 according to the subscriber’s subscription 14S. The communication network 10 in this regard may provision the subscriber’s communication device 14-1 with subscription credentials, e.g., in the form of an International Mobile Subscriber Identity (I MSI) or a Subscription Permanent Identifier (SlIPI). The subscription credentials may for example be stored on an integrated circuit card, Subscriber Identity Module (SIM), or other tamper-resistant storage of the communication device 12-1 in order to associate the communication device 12-1 with the subscriber 14 and/or the subscriber’s subscription 14S. The communication network 10 thereafter authenticates the subscriber’s communication device 12-1 on the basis of the subscription credentials stored on the device 12-1. Authentication of the communication device 12-1 may thereby serve as a prerequisite for the communication device 12-1 to receive communication service from the communication network 10.

The communication network 10 may provide communication service to the subscriber’s communication device 12-1 by enabling the communication device 12-1 to participate in communication sessions. Figure 1 for example shows that a communication session 16 may be established between the subscriber’s communication device 12-1 and another communication device 12-2 via the communication network 10. Such session establishment involves one of the communication devices 12-1, 12-2 initiating the communication session 16 and the other of the communication devices 12-1, 12-2 accepting the communication session 16, such that both communication devices 12-1, 12-2 participate in the communication session 16. A session controller 18 in the communication network 10 may control this communication session 16, such as by controlling the establishment, maintenance, or continuation of the communication session 16. For example, in embodiments where the communication session 16 is an IMS session, e.g., a VoIP session, the session controller 18 may be a Serving Call Session Control Server (S- CSCF).

Some embodiments however account for the possibility that the subscriber 14 may or may not actually be the user 12-1 II of the communication device 12-1 at any given time, despite the subscriber’s association with that device 12-1. For example, the actual user 12-1 II of the subscriber’s communication device 12-1 at any given time may be a person that has stolen the device 12-1, a person that has found the device 12-1 after the subscriber 14 lost it, or any other person that has come into possession of the device 12-1 , with or without knowledge of the subscriber 14. This may be the case especially if the subscriber’s communication device 12-1 either lacks the capability to authenticate the user 12-1 II as being the subscriber 14, or if that capability has been disabled or compromised. Some embodiments herein alternatively or additionally account for the possibility that the user 12-211 of the other communication device 12-2 participating in the communication session 16 may or may not actually be the subscriber associated with that communication device 12-2 either.

Some embodiments herein account for these possibilities by equipping the communication network 10 itself with the capability to perform user authentication, and to perform session control based on the result of such user authentication. In some embodiments as shown in Figure 1, for example, an authentication server 20 in the communication network 10 is configured to perform user authentication, as needed or required, and the session controller 18 is configured to perform session control based on the result of the authentication server’s user authentication. The session controller 18 in this regard may be configured to require user authentication, e.g., in addition to authentication of a communication device itself, before establishing or continuing a communication session via the communication network 10. By equipping the communication network 10 to perform user authentication and user authentication -based session control, some embodiments advantageously relieve the communication device(s) and/or the communicating parties from the burden of such authentication, as well as bolster the effectiveness and/or reliability of user authentication, e.g., to safeguard against user authentication capabilities of the communication devices themselves having been disabled or bypassed. This in turn improves protection against threats such as artificial intelligence (Al) voice cloning.

Some embodiments herein nonetheless recognize that user authentication and user authentication -based session control may not be desired, needed, allowed, or otherwise appropriate for every communication session and/or every communication device. Some embodiments accordingly equip the session controller 18 with the ability to make a decision about whether or not to require user authentication for a given communication session, e.g., on a communication session by communication session basis. In fact, the session controller 18 in one or more such embodiments exploits a subscriber profile 14P for the subscriber 14 as a basis for making this decision. Where the communication network 10 includes an IMS, for instance, the subscriber profile 14P may be or include an IMS User Profile for the subscriber 14, e.g., as specified by 3GPP TS 23.228. The subscriber profile 14P in these and other embodiments may represent the subscriber’s user authentication preferences, requirements, or triggering permissions in a persistent way, to be applied to any communication session (or any communication session of a certain type) involving the subscriber’s communication device 12-1 , as those sessions occur. This way, the subscriber 14 and/or its communication device 12-1 need not be burdened with indicating those preferences, requirements, or triggering permissions every communication session. This in turn advantageously reduces obstacles to use of user authentication because, after the subscriber’s profile 14P is provisioned, the subscriber 14 need not take any special action to require user authentication, e.g., it need not be activated manually every session through user selection or by calling any specific phone number.

Figure 2 shows additional details of some embodiments that exploit the subscriber profile 14 for making a decision about user authentication and user authentication -based session control. As shown, the session controller 18 may receive a request 22 to establish or update a communication session 16 between communication devices 12-1 and 12-2. The request 22 may be received from either one of the communication devices 12-1 , 12-2 involved in the communication session 16. In some embodiments, such as where the communication network 10 includes an IMS, the request 22 is a Session Initiation Protocol (SIP) INVITE or REINVITE request.

Regardless, based on communication device 12-1 being a party to the communication session 16 that is requested to be established or updated, the session controller 18 obtains the subscriber profile 14P for the subscriber 14 associated with the communication device 12-1 . The subscriber profile 14P may for instance be retrieved from a memory or repository 19 as shown in Figure 2. In one embodiment, the session controller 18 retrieves the subscriber profile 14P from a memory or repository 19 at another network node, e.g., a Uniform Data Repository (UDR). In one such embodiment, the subscriber profile 14P is received in a Cx-Push-Profile- Request. In another embodiment, the session controller 18 retrieves the subscriber profile 14P from a memory or repository 19 that is local to the session controller 18, e.g., as a local copy stored after having previously retrieved the subscriber profile 14P from another network node upon registration of the communication device 14-1 with the communication network 10.

Based on the subscriber profile 14P obtained, the session controller 18 makes a decision of whether or not to require a user 12-1 U, 12-2U of communication device 12-1 or communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16 (according to the request) (Block 24). In particular, in one embodiment, the decision is a decision of whether or not to require a user 12-1 U of communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16. In another embodiment, the decision is a decision of whether or not to require a user 12-2U of communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16. Either way, the session controller 18 then controls establishment or continuation of the communication session 18 to require, or not require, authentication of the user 12-1 U, 12- 2U, according to that decision. In this regard, if the decision is to require authentication of the user 12-1 II, 12-211, the session controller 18 as shown may trigger 28 the authentication server 20 to attempt to authenticate the user 12-1 II, 12-211. The authentication server 20 may correspondingly attempt to authenticate the user 12-1 II, 12-211 (Block 30), e.g., via a user authentication procedure 32 with the user 12-1 II of communication device 12-1 or the user 12-211 of communication device 12-2. For instance, in order to attempt to authenticate a user 12-1 II of the communication device 12-1 associated with the subscriber 12, the authentication server 20 may attempt to authenticate the user 12-1 II with one or more authentication factors proving that the user 12-1 II knows a secret (e.g., a PIN) of the subscriber 14, that the user 12-1 II has a device 12-1 or account of the subscriber 14, and/or that the user 12-1 II has biometric characteristics (e.g., a fingerprint or voice) of the subscriber 14. Upon receiving such one or more authentication factors, the authentication server 20 may check a validity of the authentication factor(s). No matter the particular type of user authentication, though, after such attempt, the authentication server 20 may transmit a message 34 to the session controller 18 indicating whether or not the authentication server 20 authenticated the user 12-1 U, 12-2U. The session controller 18 may then correspondingly handle or respond to the request 22 to establish or update the communication session 16, based on the result of the user authentication attempt.

For instance, if the message 34 from the authentication server 20 indicates that the authentication server 20 was unable to authenticate the user 12-1 U, 12-2U, the session controller 18 may determine that the user authentication prerequisite for establishing or updating the communication session 16 has not been met and correspondingly reject the request 22 to establish or update the communication session 16. On the other hand, if the message 34 from the authentication server 20 indicates that the authentication server 20 authenticated the user 12-1 U, 12-2U, the session controller 18 may determine that the user authentication prerequisite for establishing or updating the communication session 16 has been met and correspondingly proceed to establish or update the communication session 16 as requested. In this latter case, for example, the session controller 18 may transmit a response 38 to the request 22 indicating a result of the user authentication, e.g., that the user 12-1 U, 12-2U is authenticated. In another example not shown, the session controller 18 may forward the message 34 from the authentication server 20 to another network node in the communication network 10, or to one of the communication devices 12-1, 12-2. In this case, the message 34 may be the request 22 as modified by the authentication server 20 to indicate that the user 12- 1 U, 12-2U is authenticated.

Figures 3A-3C illustrate various examples for different scenarios. Figure 3A shows a first example where the request 22 in Figure 2 is received from the communication device 12-1 associated with the subscriber 14 and is a request to establish (e.g., initiate) the communication session 16. In this example, the subscriber’s subscriber profile 14P indicates whether or not a user 12-1 U of the subscriber’s communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for the communication device 12-1 to establish any communication session (or any communication session of a certain type, e.g., any voice communication session). Having obtained such a subscriber profile 14P, the session controller 18 makes a decision of whether or not to require authentication of the user 12-1 II of the communication device 12-1 as the originating user, i.e. , the user that is attempting to initiate the communication session 16.

In Figure 3A’s example, the session controller’s decision is that such authentication of the user 12-1 II of the subscriber’s communication device 12-1 is required. As part of controlling establishment of the communication session 16 to require authentication of the user 12-1 II according to this decision, the session controller 18 triggers the authentication server 20 to attempt to authenticate the user 12-1 II. The session controller 18 in this example does this by modifying the request 22 to obtain a modified request 22M-1. For example, the session controller 18 may change or add one or more headers in the request 22. The modified request 22M-1 as so modified indicates that the user 12-1 II of the communication device 12-1 is required to authenticate himself or herself to the communication network 10 as a prerequisite for establishing the communication session 16. Based on this modified request 22M-1 , the authentication server 20 attempts to authenticate the user 12-1 II. The authentication server 20 then further modifies the modified request 22M-1 , to obtain a further modified request 22M-2 that indicates a result of the user authentication attempt, e.g., that the user 12-1 II is authenticated. The session controller 18 then handles the request 22 to establish (or not establish) the communication session 16 based on the authentication result indicated by the further modified request 22M-2. If the user is authenticated according to the authentication result, for example, the session controller 16 may forward the modified request 22M-2 towards communication device 12-2 as part of a process to establish the communication session 16. This may for instance involve transmitting the modified request 22M-2 to communication device 12-2, either directly or via one or more other network nodes 40 in the same or a different communication network.

Figure 3B by contrast shows a second example where the request 22 in Figure 2 is again a request to establish (e.g., initiate) the communication session 16, but it is received from communication device 12-2, i.e., a communication device other than the communication device 12-1 associated with the subscriber 14. In this example, the subscriber’s subscriber profile 14P indicates whether or not a user 12-1 II of the subscriber’s communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for the communication device 12-1 to participate in any communication session (or any communication session of a certain type, e.g., any voice communication session). Having obtained such a subscriber profile 14P, the session controller 18 makes a decision of whether or not to require authentication of the user 12-1 II of the communication device 12-1 as the terminating user, i.e., the user that is invited to participate in the communication session 16. In Figure 3B’s example, the session controller’s decision is that such authentication of the user 12-1 II of the subscriber’s communication device 12-1 is required. The flow in Figure 3B then proceeds similarly to that shown in Figure 3A, except that the session controller 18 transmits the modified request 22M-2 towards the communication device 12-1 , rather than communication device 12-2.

Whereas the examples in Figures 3A and 3B concern user authentication as a prerequisite to establish the communication session 16, the example in Figure 3C concerns user authentication as a prerequisite to continuing the communications session 16 after it has previously been established. In this case, then, the request 22 in Figure 2 is received from the communication device 12-1 associated with the subscriber 14 and is a request to update the communication session 16, as the communication session 16 has been previously established. In particular, the request 22 is a request from communication device 12-1 to update the communication session 16 to trigger the communication network 10 to require a user 12-211 of communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16 with communication device 12-1. User 12-2 of communication device 12-2 is thereby the target of the user authentication requirement.

The subscriber’s subscriber profile 14P however indicates whether or not the communication device 12-1 is authorized to trigger the communication network 10 to require a user of another communication device to authenticate himself or herself to the communication network 10 as a prerequisite for continuing any communication session with the communication device 12-1 or any communication session of a certain type with communication device 12-1 , e.g., any voice communication session. Having obtained such a subscriber profile 14P, the session controller 18 makes a decision (Block 24) of whether or not to require a user 12-2U of the communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16. For instance, if the subscription profile 14P indicates the subscriber’s communication device 12-1 is authorized to trigger authentication of the user of another communication device, the session controller 18 may decide to require the user 12-2U of the communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16.

In Figure 3C’s example, the session controller 178 decides to require the user 12-2U of the communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16. As part of controlling continuation of the communication session 16 to require authentication of the user 12-2U according to this decision, the session controller 18 triggers the authentication server 20 to attempt to authenticate the user 12-2U. The session controller 18 in this example does this by modifying the request 22 to obtain a modified request 22M-1. For example, the session controller 18 may change or add one or more headers in the request 22. The modified request 22M-1 as so modified indicates that the user 12-211 of the communication device 12-2 is required to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16. Based on this modified request 22M-1 , the authentication server 20 attempts to authenticate the user 12-211. The authentication server 20 then further transmits a notification 31 to the session controller 18 indicating the result of the authentication attempt, e.g., where the notification may be a SIP OK message. The session controller 18 then responds to the request 22 based on the authentication result indicated by the notification 31. If the user is authenticated according to the authentication result, for example, the session controller 16 may transmit a response 38 to the request 22, with the authentication result being that the user 12-211 was authenticated.

Note that, in some embodiments, a requirement of user authentication as a prerequisite for establishing or continuing the communication session 16 may be instituted or defined as being enforced when a so-called protection mode is activated for that communication session. For example, when activated, the protection mode may require a user 12-1 II of the subscriber’s communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for the communication device 12-1 to establish any communication session (or any communication session of the certain type, e.g., voice communication sessions). In this case, the messages or signaling herein, and/or the subscriber profile 14P, may be framed in terms of whether or not the protection mode is, or is to be, activated for a communication session. For instance, the subscriber profile 14P may indicate whether or not the protection mode is to be activated for any communication session, or any communication session of a certain type, that the subscriber’s communication device 12-1 establishes, or indicates whether or not the subscriber 14 is authorized to activate the protection mode for any communication session or any communication session of the certain type. Similarly, then, the session controller’s decision herein may be realized by the session controller 18 deciding whether or not to activate the protection mode for a communication session. Accordingly, the session controller 18 in the examples of Figures 3A-3C may trigger the authentication server 20 to perform user authentication by modifying the 16 request 22 to indicate that the protection mode is activated for the communication session 16.

In some embodiments, especially where the protection mode is activated for voice communication sessions in particular, the protection mode may protect against voice cloning. That is, voice cloning is what the protection mode targets to protect against. In this case, the protection mode may be referred to as a voice cloning protection mode.

In these and other embodiments where the protection mode is activatable to protect voice communication sessions, the protected mode may optionally, at the subscriber’s discretion, also protect data connectivity and/or text messaging. In some embodiments, for example, the subscriber 14 may opt to have the communication network 10 block data connectivity and/or text messaging for the subscription while the protection mode is activated. In this case, the subscriber profile 14P may thereby indicate whether data connectivity to a data network (e.g., the Internet) and/or text messaging is blocked for the subscription while the protection mode is activated. If so, the communication network 10 (e.g., via a policy control server) blocks data connectivity and/or text messaging for the subscriber’s subscription any time that the protection mode is activated for any communication session (or any communication session of a certain type) that the communication device 12-1 establishes (e.g., initiates or participates in). If the protection mode is activated while data connectivity and/or text messaging is already ongoing, the communication network 10 may interrupt, disconnect, or otherwise tear down that ongoing data connectivity and/or text messaging, e.g., by tearing down any existing data connections for the subscription.

Consider now Figure 4 which illustrates some embodiments for how to configure the communication network 10 to require user authentication as described herein, e.g., where the subscriber 14 has the option to choose between requiring and not requiring user authentication. In the example of Figure 4, the subscriber 14 wants the communication network 10 to require a user 12-1 II of the subscriber’s communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing any communication session (or any communication session of a certain type). At the subscriber’s option, then, the subscriber 14 in this regard takes some action 50 to trigger the communication network 10 to configure such user authentication requirement for the subscriber 14. This subscriber action 50 may for example include the subscriber 14 selecting the option to require user authentication, with this selection being performed by the subscriber 14 on the subscriber’s communication device 12-1 or on a web interface for the subscriber’s account with the operator of the communication networklO. Either way, this subscriber action 50 may trigger a corresponding request 52 to one or more network nodes 44 in the communication network 10, requesting that the communication network 10 require a user 12-1 of the subscriber’s communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing a communication session (or any communication session of a certain type).

In some embodiments, for example, the subscriber’s choice to require user authentication is made persistent by indicating the user authentication requirement in the subscriber’s subscriber profile 14P. In one or more such embodiments, then, the request 52 to the network node(s) 44 may be or include a request that the communication network 10 configure the subscriber’s subscription profile 14P to indicate that a user 12-1 III of the communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing any communication session, or any communication session of a certain type, e.g., any voice communication session. By in a sense memorializing the subscriber’s choice for the user authentication requirement in the subscriber profile 14P, user authentication will advantageously be required as a prerequisite to thereafter establish any communication session (or any communication session of the certain type), even without further action on the part of the subscriber 14.

Alternatively or additionally, in embodiments where the user authentication requirement is enforced for any communication session for which a protection mode is activated, the request 52 to the network node(s) 44 may be or include a request for the communication network 10 to activate a protection mode for any communication session, or any communication session of a certain type, that the subscriber’s communication device 12-1 establishes. Moreover, in some embodiments the subscriber’s option is further extended to whether or not the communication network 10 blocks data connectivity and/or text messaging while the protection mode is activated. In this case, the request 52 may further request the communication network 10 to block data connectivity and/or text messaging for the subscriber’s subscription while the protection mode is activated.

In still other embodiments, the request 52 to the network node(s) 44 may be or include a request that the communication network 10 require, as a prerequisite for establishing a communication session, a user 12-1 II of the subscriber’s communication device 12-1 to authenticate himself or herself to the communication network 10 with one or more authentication factors proving that the user 12-1 II knows a secret of the subscriber 14, that the user 12-1 II has a device or account of the subscriber 14, and/or that the user 12-1 II has biometric characteristics of the subscriber 14. In fact, in some embodiments, the request 52 itself indicates which one or more authentication factors are to be required for authentication of the user 12-1 II to the communication network 10. The subscriber 14 may thereby be given some discretion as to the type and/or extent of user authentication that is required.

In any event, in receipt of the request 52 from the subscriber 14 or the subscriber’s communication device 12-1 , the one or more network nodes 44 may correspondingly configure the communication network 10 as requested. This may involve validating the request (Block 54) and/or checking whether the subscriber profile 14P authorizes the subscriber to require user authentication (Step 56). With regard to the latter, the network node(s) 44 as shown may retrieve the subscriber profile 14P for use in checking whether the subscriber is authorized to make the request 52. If the request is validated and the subscriber is authorized to make the request 52, the network node(s) 44 configure the subscriber’s subscriber profile 14P (e.g., in the repository 19) according to the request 52. This way, the session controller 18 may correspondingly obtain the subscriber profile 14P, e.g., from repository 19.

More particularly in this regard, the network node(s) 44 as shown in some embodiments may include a configuration server 44-1 and/or a subscriber profile management server 44-2. The configuration server 44-1 in one such embodiment may ingest the request 52 and decide as a general matter, in a non-subscriber-specific way, whether or not to accept the request 52. The decision as to whether or not to accept the request 52 may for instance be made based on a syntax validity of the request 52 and/or conditions in the communication network 10 such as load or other factors impacting the ability of the communication network 10 to accept the request 52. In embodiments where the request 52 is to conform to the extensible Markup Language (XML) Configuration Application Protocol (XCAP), for instance, the configuration server 44-1 may be an XCAP server. Regardless, based on deciding to accept the request 52, the configuration server 44-1 may propagate the request 52 to the subscriber profile management server 44-2. The subscriber profile management server 44-2 may correspondingly provision the subscription profile 14P for the subscriber 14 to indicate that a user 12-1 of the subscriber’s communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing any communication session or any communication session of a certain type, as requested. In some embodiments, though, the subscriber profile management server 44-2 first checks whether or not the subscriber 14 is authorized to make the request 52, with provisioning of the subscriber profile 14P according to the request 52 being performed only if the subscriber is indeed authorized to make that request 52.

Consider now various concrete examples in a context where embodiments herein protect against voice cloning. Indeed, with the rapid development of multi-modal artificial intelligence (Al), voice cloning threatens to maliciously trick others into believing that they are talking to someone whose voice and/or conversation mechanics they know. In fact, emerging Als can hold any voice and any conversation held using authenticated UEs. This type of scam may for example be carried out from a stolen or found phone, with the perpetrator cloning the voice of the phone’s owner in order to impersonate the phone’s owner. The perpetrator in this case need not even spoof the owner’s phone number.

In this example, then, embodiments herein guard against various threats that voice cloning poses in various sectors. In the financial sector, for instance, embodiments herein guard against voice cloning that would otherwise undermine voice-based authentication systems traditionally used for secure access and banking transactions. Seme embodiments accordingly guard against voice cloning -based identity theft which would permit unauthorized access to accounts and subsequent fraudulent activity and thereby jeopardize the trust and security of financial institutions. Other embodiments herein guard against voice cloning as applied to customer service and call centers. Some embodiments in this regard guard against voice cloning allowing criminals to replicate customer service agents' voices, enabling social engineering attacks, phishing schemes, and other fraudulent operations that prey on unwary customers. Finally, some embodiments herein guard against private calling numbers impersonating a familiar voice (e.g., family member voice cloning) to obtain illicit benefits.

Towards this end, some embodiments define procedure(s) and subscription data to enable “voice cloning protection” mode either temporarily (at the subscriber’s option on- demand) or permanently (via subscriber profile provisioning on a per subscriber basis). If a user requests the “protection” mode prior to using voice service (i.e. , either before making calls or receiving calls), he or she will be asked which type of end-user authentication is required (e.g., ID + pin code, biometrics, voice recognition against recorded voice pattern from the end user, or some other over-the-top mechanism). He or she may also be asked whether data connectivity is allowed while the temporary mode is enabled. This is to prevent other cases like some person borrowing a phone and sending text/chat messages on someone’s behalf, instead of using voice service (and triggering the end user authentication herein).

That said, in some embodiments, the communication network 10 must first authorize a user to request or activate the “voice cloning protection” mode. That is, the communication network 10 will provision per subscriber whether the “voice cloning protection” made is allowed to be requested for, e.g., all incoming calls, all outgoing calls, on-demand for an ongoing call. This new information per subscriber will then have multiple and additional variants: 1) while the temporary mode is activated, data connectivity may be blocked/disallowed, e.g., no Internet is allowed; and 2) data connectivity is still allowed, such that “protection” mode is strictly enforced to prevent voice cloning. There may be additional variants, e.g., originating text message is barred when voice cloning protection mode is ON.

Some embodiments herein furthermore provide new subscription data for “voice cloning protection” mode, so that either the network operator (via provisioning) or the subscriber 14 (via subscriber procedures) can activate it on-demand (e.g., when a bank requires to authenticate the end user in the middle of a voice call to digitally sign a new product). This “protection mode” may be spread across the communication network 10 so that, from that moment on, all voice calls initiated from the UE or received by the UE are sent to an authentication server 20 in charge of authenticating the person using the UE. Additionally, if protection mode indicates that data connection is to be disallowed, any active data connection/session (data connectivity, e.g., internet) is torn down, and any attempt to acquire data connection from the UE will be rejected by the network (in addition to voice cloning prevention when using voice service).

Note that user authentication herein may advantageously be based on a subscriber profile 14P and/or via subscriber procedures, either off-call or mid-call. Basing user authentication on a subscriber profile 14P advantageously makes some embodiments herein agnostic to the dialed number, such that the communication network 10 can determine user authentication is required or requested no matter the originating and/or terminating phone number of the communication session 16.

Also, given that voice service is regulatory, some embodiments herein may be implemented using existing standardized communication networks (which is already used for emergency calls), instead of relying on over-the-top solutions or proprietary solutions offered by 3PP. Indeed, given that no matter the number of applications involved in a VoIP call, the core network (IMS) is always in charge of the call control plane. Certain embodiments may provide one or more of the following technical advantage(s). Some embodiments prevent a malicious user or an Al from impersonating the owner of a communication device. Alternatively or additionally, some embodiments allow the communication network 10 to present or confirm a persona identity to any destination user/number, even if the calling number is unknown to the destination user. Alternatively or additionally, some embodiments allow an end user to ensure that voice cloning is not in use mid-call, such as when a voice conversation gets to a point where consent or a decision needs to be made (e.g., when digitally signing a document on the phone).

With these concrete use cases in mind, Figures 5-7 show various call flows for different circumstances. In Figures 5-7, the communication network 10 is exemplified as a 5G network that includes an IMS network, the communication session 16 is exemplified as a voice call, network node 44-1 is exemplified as an XCAP server, network node 44-2 is exemplified as a telephony server that manages the subscription profile 14P as well as manages voice calls, repository 19 is exemplified as a UDR, the communication devices 12-1, 12-2 are each a user equipment (UE), and the communication network 10 requires user authentication when a voice cloning protection mode is activated for the communication session 16. Also for purposes of this example, communication device 12-1 is exemplified as UE A, the user 12-1 U of communication device 12-1 is exemplified as User A, communication device 12-2 is exemplified as UE B, and the user 12-2U of communication device 12-2 is exemplified as User B.

Figure 5 in particular depicts a procedure for a subscriber to configure his or her subscription profile so that the “voice cloning protection” mode will be activated for any communication session (or any communication session of a certain type) thereafter.

0. While in possession of his or her own UE, the owner of UE A 12-1 activates (e.g., using biometrics) the voice cloning protection mode. This is an example of the subscriber action 50 in Figure 4.

1. UE A 12-1 sends a request to the XCAP server 44-1 (similar to when the UE activates a service, e.g., call forwarding). This request exemplifies the request 52 in Figure 4. The request includes a protection-mode information element that indicates whether or not the voice cloning protection mode is requested to be on or off. A value of ON as shown indicates that the voice cloning protection mode is requested to be on, i.e., activated. The request may also optionally include one or more headers or fields, e.g., data=off, authentication- required=user-pin, calls initiated and received by the UE, etc. Here, data=off indicates that data connectivity is to be “off” or torn down while the voice cloning protection mode is activated. The header authentication-required = user-pin indicates that user authentication is to be performed via a user PIN. Finally, call=originating/terminating means that the voice cloning protection mode is to be activated for both originating calls and terminating calls. 2. After the XCAP server 44-1 validates the request and/or determines to allow the request, the XCAP server 44-1 forwards the request to the telephony server 44-2, e.g., an MMTEL application server.

3. After checking that User A is authorized to activate the voice cloning protection mode, the telephony server 44-2 writes this information in the HSS 19, e.g., via Sh (or Nudm_ims_sdm service in 5GC), with a new data-reference (secure-mode).

4. The HSS 19 checks whether updates are allowed (i.e., whether User A is allowed to enable the service or if only the operator of the communication network is allowed to enable the service). If so, HSS updates the IMS User Profile, as an example of the subscriber profile 14P in Figure 1 , for the subscriber in an external database, shown as Uniform Data Repository (UDR) 60.

5. The HSS 19 initiates a Cx-Push-Profile-Request (Cx-PPR) towards the S-CSCF 18, to push the IMS User Profile to the serving CSCF 18. Cx-PPR includes the information (Voice cloning Protection Mode=ON).

6. S-CSCF 18 stores the IMS User Profile locally as part of the UE’s IMS registration context at the S-CSCF 18.

7. At the same time, and in parallel with step 5, UDR 60 notifies PCF 62. UDR 60 may for example be configured to notify PCF 62 when the protection-mode data is updated.

8. Upon reception of UDR notification (which includes Voice cloning Protection Mode variant-> data=off), PCF 62 evaluates the information in the notification and determines to tear down any ongoing data session (Protocol Data Unit, PDU, session) for the UE A 12-1. At this moment, any new data connection attempted by the UE A 12-1 will be rejected by PCF 62, since the Protection Mode information is stored in UDR 60 for PCF 62 to read it anytime.

After the procedure in Figure 5 has been performed to configure the subscription profile, the procedure in Figure 6 may be performed for the communication network 10 to control originating and/or terminating voice calls when protection mode is ON.

1. The user using UE A 12-1 makes a voice call. UE A 12-1 sends a SIP INVITE request to the communication network to initiate the voice call. Note that, in this example, the SIP INVITE request does not indicate anything special regarding the voice cloning protection mode. The SIP INVITER request is an example of the request 22 in Figure 3A.

2. When the SIP INVITE request reaches the S-CSCF 18, the S-CSCF 18 checks the IMS User Profile in the UE registration context which was previously stored at the S-CSCF 18 as described in Figure 5. If the IMS User Profile indicates that voice cloning protection mode is ON (that is, that voice cloning protection mode is to be activated for any voice call from UE A 12-1), the S-CSCF 18 behaves as if the SIP INVITE request included a voice cloning protection mode header. The S-CSCF 18 accordingly evaluates IFC (Initial Filter Criteria). IFC indicates that, if voice cloning protection mode SIP header is present in the SIP INVITE request, the authentication server 20 is to be triggered. 3. In this case, since voice cloning protection mode is ON, the S-CSCF 18 triggers the authentication server 20. To do so, the S-CSCF 18 adds to the SIP INVITE a SIP Header Secure-Mode: ON, data=off,authentication=user-pin. The S-CSCF 18 then transmits this modified SIP INVITE request to the authentication server 20.

4. Recognizing the SIP Header included in the SIP INVITE request, the authentication server 20 requests authentication credentials from the user of UE A 12-1. In this example, the authentication server in particular requests a PIN code from the user of UE A, since the SIP Header has a value of user-pin for authentication.

5. The user of UE A correspondingly introduces his or her PIN code upon being prompted for it by UE A.

6. If authentication of the user is successful (i.e., the PIN code is correct), the authentication server 20 further modifies the SIP INVITE request to include a new SIP header Secure-Mode=verified, together with the ID of the person associated with the PIN code. The authentication server 20 then returns the modified SIP INVITE request to the S-CSCF 18.

7. The S-CSCF 18 then progresses the call as usual, keeping the new SIP header when triggering the telephony server 44-2.

8. The telephony server 44-2 sends back the request after executing originating telephony services (e.g., barring of outgoing calls).

9. The S-CSCF progresses the call towards the destination/terminating network 60, if different from the network of UE A.

10. The terminating network 60 correspondingly progresses the call towards UE B 12-2.

11. When UE B 12-2 receives the terminating call, in addition to UE A’s telephone number, it displays the ID of the person identified by the authentication server 20, so that the called user receives such information.

Hence, any voice call initiated or received by UE A will be sent to the authentication server 20 due to the IMS User Profile of the subscriber indicating that such is to occur. This will occur until the UE’s owner (i.e., subscriber) disables the voice cloning protection mode (e.g., using biometrics again).

Figure 7 shows an alternative procedure in which voice cloning protection mode may be activated on-demand mid-call.

0. User A of UE A 12-1 is already involved in a call. In order to continue the call, though, User A requires at some point (e.g., when a digital signature is required and/or sensitive data or actions are requested by the remote party) that the remote User B is authenticated, e.g., to protect against voice cloning/AI impersonation.

1. To require user authentication of User B, the user A uses subscriber procedures. In particular, UE A triggers a session update to take place by sending a SIP RE-INVITE request, where the SIP RE-INVITE request indicates that authentication is required for the remote end (e.g., user-pin, biometrics, voice recognition). The SIP RE-INVITE request in this regard includes SIP headers Protection-Mode: ON, authentication type=user/pin.

2. When SIP RE-INVITE request reaches the S-CSCF 18, the S-CSCF 18 checks whether the subscriber associated with UE A (assumed in this case to be the same as User A) is authorized to request authentication of the remote User B. The S-CSCF 18 in this regard checks the subscriber’s IMS User Profile for this authorization to request a user-pin at the remote end.

3. If so, the S-CSCF 18 activates the voice cloning protection mode mid-call according to the SIP RE-INVITE request. The S-CSCF 18 accordingly triggers the authentication server 20 by sending the SIP RE-INVITE request to the authentication server 20, with the SIP RE-INVITE request indicating the requested authentication procedure (user-pin).

4. The authentication server 20 requires the remote end to authenticate himself or herself.

5. The remote end user enters his or her user-pin.

6. The authentication server 20 responds with a result of the authentication, e.g., including the id of the end user.

7. The S-CSCF 18 proxies the response towards User A, who checks the id of the remote end user and decides to continue with the voice call.

Note that although some embodiments herein are exemplified with scenarios where a user of a communication device is a human user and/or where a subscriber is a human, embodiments herein are not so limited. Indeed, a subscription may be held by a legal entity such as a business, in which case the subscriber may technically be the legal entity. In this case, references to the subscriber as a “he” or “she” may be extended appropriately to such a legal entity.

In view of the modifications and variations herein, Figure 8 depicts a method performed by a session controller 18 in a communication network 10 in accordance with particular embodiments. The method includes receiving a request 22 to establish or update a communication session 16 between a first communication device 12-1 and a second communication device 12-2 via the communication network 10 (Block 800). The method also comprises obtaining a subscriber profile 14P for a subscriber 14 that is associated with the first communication device 12-1 and that has a subscription to the communication network 10 (Block 810). The method also comprises making a decision, based on the subscriber profile 14P, whether or not to require a user 12-1 U, 12-2U of the first or the second communication device 12-1, 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16 according to the request 22 (Block 820). The method also comprises controlling establishment or continuation of the communication session 16 to require, or not require, authentication of the user (12-1 U, 12-2U) according to the decision (Block 830). In some embodiments, the subscriber profile 14P indicates whether or not a user 12-1 II of the first communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for the first communication device 12-1 to establish any communication session or any communication session of a certain type.

In some embodiments, the request 22 is a request from the first communication device 12-1 to initiate the communication session 16. In this case, the decision is a decision as to whether or not to require a user 12-1 II of the first communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for initiating the communication session 16. In other embodiments, the request 22 may be a request from the second communication device 12-2 to initiate the communication session 16, in which case the decision is a decision as to whether or not to require a user 12-1 II of the first communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing the communication session 16.

In some embodiments, the decision is to require a user 12-1 II, 12-211 of the first or the second communication device 12-1 , 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16. In one such embodiment, said controlling comprises triggering an authentication server to attempt to authenticate the user, receiving a message from the authentication server indicating whether or not the authentication server authenticated the user, and handling or responding to the request in dependence on the message from the authentication server. In one embodiment, the message from the authentication server indicates the authentication server authenticated the user, and said handling or responding comprises: (i) forwarding the message to another network node in the same or a different communication network 10, or to the first or second communication device 12-1 , 12-2, wherein the message is the request as modified by the authentication server to indicate that the user is authenticated; or (ii) transmitting a response to the request indicating that the user is authenticated. Alternatively or additionally, in some embodiments, said triggering comprises: (i) modifying the request to indicate that a user 12-1 II, 12-211 of the first or the second communication device 12-1, 12-2 is required to authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16; and (ii) transmitting the request, as modified, to the authentication server.

In some embodiments, the subscriber profile 14P indicates whether or not the first communication device 12-1 is authorized to trigger the communication network 10 to require a user of another communication device to authenticate himself or herself to the communication network 10 as a prerequisite for continuing any communication session with the first communication device 12-1 or any communication session of a certain type with the first communication device 12-1. In one such embodiment, the request is a request from the first communication device 12-1 to update the communication session 16 to trigger the communication network 10 to require a user of the second communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16, and the decision is a decision as to whether or not to require a user of the second communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16.

In some embodiments, the subscriber profile 14P indicates whether or not a protection mode is to be activated for any communication session, or any communication session of a certain type, that the first communication device 12-1 establishes, or indicates whether or not the subscriber 14 is authorized to activate the protection mode for any communication session or any communication session of the certain type. In this case, when activated, the protection mode requires a user 12-1 II of the first communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for the first communication device 12-1 to establish any communication session or any communication session of the certain type. In one embodiment, the subscriber profile 14P also indicates: (i) whether data connectivity to a data network is blocked for the subscription while the protection mode is activated; and/or (ii) whether text messaging is blocked for the subscription while the protection mode is activated.

In some embodiments, the session controller 18 implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, the request is a Session Initiation Protocol, SIP, INVITE or a SIP RE-INVITE, and the subscriber profile 14P is an IMS User Profile.

In some embodiments, the communication session 16 is a voice communication session.

In some embodiments, the method further comprises receiving the subscriber profile 14P from a Home Subscriber Server, HSS. In one embodiment, the subscriber profile 14P is received in a Cx-Push-Profile-Request that includes a field indicating whether or not a protection mode is activated, wherein when activated the protection mode requires a user 12- 1 U of the first communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for the first communication device 12-1 to establish any communication session or any communication session of a certain type.

In some embodiments, the decision is a decision of whether or not to require the user to authenticate himself or herself with one or more authentication factors proving that the user knows a secret of the subscriber 14, that the user has a device or account of the subscriber 14, and/or that the user has biometric characteristics of the subscriber 14.

Figure 9 depicts a method performed by an authentication server 20 in a communication network 10 in accordance with particular embodiments. The method includes receiving, from a session controller 18 in the communication network 10, a request (22M-1) to establish or update a communication session 16 between a first communication device 12-1 and a second communication device 12-2 via the communication network 10, wherein the request (22M-1) indicates a user 12-1 II, 12-211 of the first or the second communication device 12-1, 12-2 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16 (Block 900). The method also comprises attempting to authenticate the user 12-1 II, 12-211 to the communication network 10 (Block 910). The method further comprises transmitting, to the session controller 18, a message 22M-1 , 31 that indicates whether or not the authentication server authenticated the user 12-1 II, 12-2U (Block 920).

In some embodiments, the request 22M-1 indicates a user 12-1 II of the first communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for the first communication device 12-1 to establish any communication session or any communication session of a certain type. In one such embodiment, the request 22M-1 is a request that originated from the first communication device 12-1 to initiate the communication session 16, and wherein the request indicates a user 12-1 II of the first communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for initiating the communication session 16. In another embodiment, the request 22M-1 is a request that originated from the second communication device 12-2 to initiate the communication session 16, and the request indicates a user 12-1 II of the first communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing the communication session 16. Either way, in some embodiments, the method comprises modifying the request 22M-1 to indicate that the authentication server authenticated the user. In this case, the message 22M-2 is or includes the request as modified.

In some embodiments, the request 22M-1 originated from the first communication device 12-1 and indicates that a user 12-211 of the second communication device 12-2 must authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16.

In some embodiments, the request 22M-1 indicates a user 12-1 II, 12-211 of the first or the second communication device 12-1, 12-2 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing the communication session 16, by indicating whether or not a protection mode is activated for the communication session 16, wherein when activated the protection mode requires a user 12-1 II, 12-211 of the first or the second communication device 12-1 , 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing or continuing in any communication session or any communication session of a certain type.

In some embodiments, the session controller 18 implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, wherein the request is a Session Initiation Protocol, SIP, INVITE or a SIP RE-INVITE, and wherein the subscriber profile 14P is an IMS user profile.

In some embodiments, attempting to authenticate the user to the communication network 10 comprises: (i) requesting the user to provide one or more authentication factors proving that the user knows a secret of the subscriber 14, that the user has a device or account of the subscriber 14, and/or that the user has biometric characteristics of the subscribe; (ii) receiving the one or more authentication factors from the user; and (iii) checking a validity of the one or more authentication factors received.

Figure 10 depicts a method performed by a first communication device 12-1 in a communication network 10 in accordance with particular embodiments. The method includes establishing a communication session 16 between the first communication device 12-1 and a second communication device 12-2 via a communication network 10 (Block 1000). The method also comprises, after establishing the communication session 16, transmitting, to a session controller 18 in the communication network 10, a request 22 to update the communication session 16 to trigger the communication network 10 to require a user 12-211 of the second communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing the communication session 16 (Block 1010). The method further comprises receiving, from the session controller 18, a result of whether or not the communication network 10 authenticated the user 12-211 of the second communication device 12-2 (Block 1020).

In some embodiments, the request 22 to update the communication session 16 is, or includes, a request to activate a protection mode for the communication session 16, wherein when activated for the communication session 16 the protection mode requires a user 12-211 of the second communication device 12-2 to authenticate himself or herself to the communication network 10 as a prerequisite for continuing in the communication session 16.

In some embodiments, the session controller 18 implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, and wherein the request is a Session Initiation Protocol, SIP, RE-INVITE.

In some embodiments, the method may further comprise any of the steps in Figure 11.

Figure 11 depicts a method performed by a communication device 12-1 in a communication network 10 in accordance with particular embodiments. The method transmitting, to a configuration server 44-1 in a communication network 10, a request 52 that the communication network 10 require a user 12-111 of the communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing a communication session 16.

In some embodiments, the communication device 12-1 is associated with a subscriber 14 that has a subscription to the communication network 10, and the request 52 is a request that the communication network 10 configure a subscription profile 14P for the subscriber 14 to indicate that a user 12-1 II of the communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing any communication session or any communication session of a certain type. In one embodiment, the subscription profile 14P is an Internet Protocol, IP, Multimedia Subsystem, IMS, User Profile.

In some embodiments, the request 52 is a request for the communication network 10 to activate a protection mode for any communication session, or any communication session of a certain type, that the first communication device 12-1 establishes. When activated, the protection mode requires a user 12-1 U of the communication device 12 to authenticate himself or herself to the communication network 10 as a prerequisite for the communication device 12-1 to establish any communication session or any communication session of the certain type.

In some embodiments, the request 52 further requests the communication network 10 to block data connectivity and/or text messaging for the subscription while the protection mode is activated.

In some embodiments, the communication device 12-1 is associated with a subscriber 14 that has a subscription to the communication network 10, and the request 52 is a request that the communication network 10 require, as a prerequisite for establishing a communication session 16, a user of the communication device to authenticate himself or herself to the communication network 10 with one or more authentication factors proving that the user knows a secret of the subscriber 14, that the user has a device or account of the subscriber 14, and/or that the user has biometric characteristics of the subscriber 14. In one embodiment, the request indicates which one or more authentication factors are to be required for authentication of the user to the communication network 10.

In some embodiments, the method may further comprise any of the steps in Figure 10.

Figure 12 depicts a method performed by a network node 44 in a communication network 10 in accordance with particular embodiments. The method includes receiving a request 52 that the communication network 10 require a user 12-1 U of a communication device 12-1 to authenticate himself or herself to the communication network 10 as a prerequisite for establishing a communication session 16 (Block 1200). In some embodiments, the communication device 12-1 is associated with a subscriber 14 that has a subscription to the communication network 10, and the request 52 is a request that the communication network 10 provision a subscription profile 14P for the subscriber 14 to indicate that a user 12-1 II of the communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing any communication session or any communication session of a certain type. In one embodiment, the subscription profile 14P is an Internet Protocol, IP, Multimedia Subsystem, IMS, user profile.

In some embodiments, the request 52 is a request for the communication network 10 to activate a protection mode for any communication session, or any communication session of a certain type, that the communication device 12-1 establishes. When activated, the protection mode requires a user of the communication device to authenticate himself or herself to the communication network 10 as a prerequisite for the communication device to establish any communication session or any communication session of the certain type. In one embodiment, the request further requests the communication network 10 to block data connectivity and/or text messaging for the subscription while the protection mode is activated.

In some embodiments, the communication device 12-1 is associated with a subscriber 14 that has a subscription to the communication network 10, and the request is a request that the communication network 10 require, as a prerequisite for establishing a communication session 16, a user 12-1 II of the communication device 12-1 to authenticate himself or herself to the communication network 10 with one or more authentication factors proving that the user knows a secret of the subscriber 14, that the user has a device or account of the subscriber 14, and/or that the user has biometric characteristics of the subscriber 14. In some embodiments, the request 52 indicates which one or more authentication factors are to be required for authentication of the user 12-1 II to the communication network 10.

In some embodiments, the network node 44 serves as a configuration server 44-1 , wherein the configuration server 44-1 is an extensible Markup Language, XML, Configuration Application Protocol, XCAP, server.

In some embodiments, the method further comprises: (i) deciding whether or not to accept the request 52, based on a syntax validity of the request 52 and/or conditions in the communication network 10; and (ii) based on deciding to accept the request 52, propagating the request to a subscriber profile management server 44-2 in the communication network 10.

In some embodiments, the network node 44 serves as a subscriber profile management server 44-2. In one embodiment, the communication device 12-1 is associated with a subscriber 14 that has a subscription to the communication network 10. In this case, the method further comprises provisioning a subscription profile 14P for the subscriber 14 to indicate that a user 12-1 U of the communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing any communication session or any communication session of a certain type. In some embodiments, the method further comprises checking whether or not the subscriber 14 is authorized to make the request 52, wherein said provisioning is performed based on the subscriber 14 being authorized to make the request 52.

In some embodiments, then, the method may further comprise deciding whether or not to accept the request 52, based on a syntax validity of the request 52, conditions in the communication network 10, and/or whether or not a subscriber 14 associated with the communication device is authorized to make the request 52 (Block 1210). The method may further comprise, based on deciding to accept the request 52, provisioning, or triggering provisioning of, a subscription profile 14P for the subscriber 14 to indicate that a user 12-1 II of the communication device 12-1 must authenticate himself or herself to the communication network 10 as a prerequisite for establishing any communication session or any communication session of a certain type (Block 1220).

Figure 13 depicts a method performed by a policy control server 62 in a communication network 10 in accordance with particular embodiments. The method receiving, from a data repository in the communication network 10, information indicating: (i) whether or not a protection mode is activated for a subscriber 14 that has a subscription to the communication network 10, wherein, when activated, the protection mode requires a user 12-1 II of a communication device 12-1 associated with the subscription to authenticate himself or herself to the communication network 10 as a prerequisite for the communication device 12-1 to establish or continue any communication session or any communication session of the certain type; and/or (ii) whether or not the communication network 10 is to block data connectivity and/or text messaging for the subscription while the protection mode is activated (Block 1300). The method also comprises, while the protection mode is activated for the subscription, blocking or allowing data connectivity and/or text messaging for the subscription according to the received information (Block 1310).

In some embodiments, the information indicates that the protection mode is activated for the subscriber 14 and that the communication network 10 is to block data connectivity for the subscription while the protection mode is activated, and wherein said blocking comprises, responsive to receiving the information, tearing down any existing data connections for the subscription.

Embodiments herein also include corresponding apparatuses. Embodiments herein for instance include a communication device 12-1 configured to perform any of the steps of any of the embodiments described above for the communication device 12-1.

Embodiments also include a communication device 12-1 comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the communication device 12-1. The power supply circuitry is configured to supply power to the communication device 12-1. Embodiments further include a communication device 12-1 comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the communication device 12-1. In some embodiments, the communication device 12-1 further comprises communication circuitry.

Embodiments further include a communication device 12-1 comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the communication device 12-1 is configured to perform any of the steps of any of the embodiments described above for the communication device 12-1.

Embodiments moreover include a user equipment (UE). The UE comprises an antenna configured to send and receive wireless signals. The UE also comprises radio front-end circuitry connected to the antenna and to processing circuitry, and configured to condition signals communicated between the antenna and the processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the communication device 12-1. In some embodiments, the UE also comprises an input interface connected to the processing circuitry and configured to allow input of information into the UE to be processed by the processing circuitry. The UE may comprise an output interface connected to the processing circuitry and configured to output information from the UE that has been processed by the processing circuitry. The UE may also comprise a battery connected to the processing circuitry and configured to supply power to the UE.

Embodiments herein also include a session controller 18 configured to perform any of the steps of any of the embodiments described above for the session controller 18.

Embodiments also include a session controller 18 comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the session controller 18. The power supply circuitry is configured to supply power to the session controller 18.

Embodiments further include a session controller 18 comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the session controller 18. In some embodiments, the session controller 18 further comprises communication circuitry.

Embodiments further include a session controller 18 comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the session controller 18 is configured to perform any of the steps of any of the embodiments described above for the session controller 18.

Embodiments herein also include an authentication server 20 configured to perform any of the steps of any of the embodiments described above for the authentication server 20.

Embodiments also include an authentication server 20 comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the authentication server 20. The power supply circuitry is configured to supply power to the authentication server 20.

Embodiments further include an authentication server 20 comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the authentication server 20. In some embodiments, the authentication server 20 further comprises communication circuitry.

Embodiments further include an authentication server 20 comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the authentication server 20 is configured to perform any of the steps of any of the embodiments described above for the authentication server 20.

Embodiments herein also include a network node 44 configured to perform any of the steps of any of the embodiments described above for the network node 44.

Embodiments also include a network node 44 comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the network node 44. The power supply circuitry is configured to supply power to the network node 44.

Embodiments further include a network node 44 comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the network node 44. In some embodiments, the network node 44 further comprises communication circuitry.

Embodiments further include a network node 44 comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the network node 44 is configured to perform any of the steps of any of the embodiments described above for the network node 44.

Embodiments herein also include a policy control server 62 configured to perform any of the steps of any of the embodiments described above for the policy control server 62.

Embodiments also include a policy control server 62 comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the policy control server 62. The power supply circuitry is configured to supply power to the policy control server 62.

Embodiments further include a policy control server 62 comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the policy control server 62. In some embodiments, the policy control server 62 further comprises communication circuitry.

Embodiments further include a policy control server 62 comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the policy control server 62 is configured to perform any of the steps of any of the embodiments described above for the policy control server 62. More particularly, the apparatuses described above may perform the methods herein and any other processing by implementing any functional means, modules, units, or circuitry. In one embodiment, for example, the apparatuses comprise respective circuits or circuitry configured to perform the steps shown in the method figures. The circuits or circuitry in this regard may comprise circuits dedicated to performing certain functional processing and/or one or more microprocessors in conjunction with memory. For instance, the circuitry may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include digital signal processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as read-only memory (ROM), random-access memory, cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory may include program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein, in several embodiments. In embodiments that employ memory, the memory stores program code that, when executed by the one or more processors, carries out the techniques described herein.

Figure 14 for example illustrates a communication device 12-1 as implemented in accordance with one or more embodiments. As shown, the communication device 12-1 includes processing circuitry 1410 and communication circuitry 1420. The communication circuitry 1420 (e.g., radio circuitry) is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. Such communication may occur via one or more antennas that are either internal or external to the communication device 1400. The processing circuitry 1410 is configured to perform processing described above, e.g., in Figure 10 or Figure 11 , such as by executing instructions stored in memory 1430. The processing circuitry 1410 in this regard may implement certain functional means, units, or modules.

Figure 15 illustrates a session controller 18 as implemented in accordance with one or more embodiments. As shown, the session controller 18 includes processing circuitry 1510 and communication circuitry 1520. The communication circuitry 1520 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 1510 is configured to perform processing described above, e.g., in Figure 8, such as by executing instructions stored in memory 1530. The processing circuitry 1510 in this regard may implement certain functional means, units, or modules.

Figure 16 illustrates an authentication server 20 as implemented in accordance with one or more embodiments. As shown, the authentication server 20 includes processing circuitry 1610 and communication circuitry 1620. The communication circuitry 1620 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 1610 is configured to perform processing described above, e.g., in Figure 9, such as by executing instructions stored in memory 1630. The processing circuitry 1610 in this regard may implement certain functional means, units, or modules.

Figure 17 illustrates a network node 44 as implemented in accordance with one or more embodiments. As shown, the network node 44 includes processing circuitry 1710 and communication circuitry 1720. The communication circuitry 1720 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 1710 is configured to perform processing described above, e.g., in Figure 12, such as by executing instructions stored in memory 1730. The processing circuitry 1710 in this regard may implement certain functional means, units, or modules.

Figure 18 illustrates a policy control server 62 as implemented in accordance with one or more embodiments. As shown, the policy control server 62includes processing circuitry 1810 and communication circuitry 1820. The communication circuitry 1820 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 1810 is configured to perform processing described above, e.g., in Figure 13, such as by executing instructions stored in memory 1830. The processing circuitry 1810 in this regard may implement certain functional means, units, or modules.

Those skilled in the art will also appreciate that embodiments herein further include corresponding computer programs.

A computer program comprises instructions which, when executed on at least one processor of an apparatus, cause the apparatus to carry out any of the respective processing described above. A computer program in this regard may comprise one or more code modules corresponding to the means or units described above.

Embodiments further include a carrier containing such a computer program. This carrier may comprise one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

In this regard, embodiments herein also include a computer program product stored on a non-transitory computer readable (storage or recording) medium and comprising instructions that, when executed by a processor of an apparatus, cause the apparatus to perform as described above.

Embodiments further include a computer program product comprising program code portions for performing the steps of any of the embodiments herein when the computer program product is executed by a computing device. This computer program product may be stored on a computer readable recording medium.

Although the computing devices described herein (e.g., UEs, network nodes, hosts) may include the illustrated combination of hardware components, other embodiments may comprise computing devices with different combinations of components. It is to be understood that these computing devices may comprise any suitable combination of hardware and/or software needed to perform the tasks, features, functions and methods disclosed herein. Determining, calculating, obtaining or similar operations described herein may be performed by processing circuitry, which may process information by, for example, converting the obtained information into other information, comparing the obtained information or converted information to information stored in the network node, and/or performing one or more operations based on the obtained information or converted information, and as a result of said processing making a determination. Moreover, while components are depicted as single boxes located within a larger box, or nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that make up a single illustrated component, and functionality may be partitioned between separate components. For example, a communication interface may be configured to include any of the components described herein, and/or the functionality of the components may be partitioned between the processing circuitry and the communication interface. In another example, non-computationally intensive functions of any of such components may be implemented in software or firmware and computationally intensive functions may be implemented in hardware.

In certain embodiments, some or all of the functionality described herein may be provided by processing circuitry executing instructions stored on in memory, which in certain embodiments may be a computer program product in the form of a non-transitory computer- readable storage medium. In alternative embodiments, some or all of the functionality may be provided by the processing circuitry without executing instructions stored on a separate or discrete device-readable storage medium, such as in a hard-wired manner. In any of those particular embodiments, whether executing instructions stored on a non-transitory computer- readable storage medium or not, the processing circuitry can be configured to perform the described functionality. The benefits provided by such functionality are not limited to the processing circuitry alone or to other components of the computing device, but are enjoyed by the computing device as a whole, and/or by end users and a wireless network generally.

Notably, modifications and other embodiments of the present disclosure will come to mind to one skilled in the art having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the present disclosure is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of this disclosure. Although specific terms may be employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

1. A method performed by a session controller (18) in a communication network (10), the method comprising: receiving (800) a request (22) to establish or update a communication session (16) between a first communication device (12-1) and a second communication device (12-2) via the communication network (10); obtaining (810) a subscriber profile (14P) for a subscriber (14) that is associated with the first communication device (12-1) and that has a subscription to the communication network (10); making (820) a decision, based on the subscriber profile (14P), whether or not to require a user (12-1 II, 12-211) of the first or the second communication device (12-1, 12- 2) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16) according to the request (22); and controlling (830) establishment or continuation of the communication session (16) to require, or not require, authentication of the user, according to the decision.

2. The method of claim 1, wherein the subscriber profile (14P) indicates whether or not a user (12-1 II) of the first communication device (12-1) must authenticate himself or herself to the communication network (10) as a prerequisite for the first communication device (12-1) to establish any communication session or any communication session of a certain type.

3. The method of claim 2, wherein the request (22) is: a request from the first communication device (12-1) to initiate the communication session (16), and wherein the decision is a decision as to whether or not to require a user (12-1 II) of the first communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for initiating the communication session (16); or a request from the second communication device (12-2) to initiate the communication session (16), and wherein the decision is a decision as to whether or not to require a user (12-1 II) of the first communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing the communication session (16).

4. The method of any one of claims 1-3, wherein the decision is to require a user (12-1 II, 12-211) of the first or the second communication device (12-1, 12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16), and wherein said controlling comprises: triggering an authentication server to attempt to authenticate the user; receiving a message from the authentication server indicating whether or not the authentication server authenticated the user; and handling or responding to the request (22) in dependence on the message from the authentication server.

5. The method of claim 4, wherein the message from the authentication server indicates the authentication server authenticated the user, and wherein said handling or responding comprises: forwarding the message to another network node in the same or a different communication network (10), or to the first or second communication device (12- 1 , 12-2), wherein the message is the request (22) as modified by the authentication server to indicate that the user is authenticated; or transmitting a response to the request (22) indicating that the user is authenticated.

6. The method of any one of claims 4-5, wherein said triggering comprises: modifying the request (22) to indicate that a user (12-1 II, 12-211) of the first or the second communication device (12-1, 12-2) is required to authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16); and transmitting the request (22), as modified, to the authentication server.

7. The method of any one of claims 1-2, wherein the subscriber profile (14P) indicates whether or not the first communication device (12-1) is authorized to trigger the communication network (10) to require a user of another communication device to authenticate himself or herself to the communication network (10) as a prerequisite for continuing any communication session with the first communication device (12-1) or any communication session of a certain type with the first communication device (12-1), wherein the request (22) is a request from the first communication device (12-1) to update the communication session (16) to trigger the communication network (10) to require a user of the second communication device (12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for continuing the communication session (16), and wherein the decision is a decision as to whether or not to require a user of the second communication device (12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for continuing the communication session (16).

8. The method of any one of claims 1-7, wherein: the subscriber profile (14P) indicates whether or not a protection mode is to be activated for any communication session, or any communication session of a certain type, that the first communication device (12-1) establishes, or indicates whether or not the subscriber (14) is authorized to activate the protection mode for any communication session or any communication session of the certain type, and; when activated, the protection mode requires a user (12-1 II) of the first communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for the first communication device (12-1) to establish any communication session or any communication session of the certain type.

9. The method of claim 8, wherein the subscriber profile (14P) also indicates: whether data connectivity to a data network is blocked for the subscription while the protection mode is activated; and/or whether text messaging is blocked for the subscription while the protection mode is activated.

10. The method of any one of claims 1-9, wherein the session controller (18) implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, and wherein the subscriber profile (14P) is an IMS User Profile.

11. The method of any one of claims 1-10, wherein the communication session (16) is a voice communication session.

12. The method of any one of claims 1-11 , further comprising receiving the subscriber profile (14P) from a Home Subscriber Server, HSS, and wherein the subscriber profile (14P) is received in a Cx-Push-Profile-Request that includes a field indicating whether or not a protection mode is activated, wherein when activated the protection mode requires a user (12-

1 U) of the first communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for the first communication device (12-1) to establish any communication session or any communication session of a certain type.

13. The method of any one of claims 1-11 , wherein the decision is a decision of whether or not to require the user to authenticate himself or herself with one or more authentication factors proving that the user knows a secret of the subscriber (14), that the user has a device or account of the subscriber (14), and/or that the user has biometric characteristics of the subscriber (14).

14. The method of any one of claims 1-13, wherein the request (22) is a Session Initiation Protocol, SIP, INVITE or a SIP RE-INVITE.

15. A method performed by an authentication server in a communication network (10), the method comprising: receiving (900), from a session controller (18) in the communication network (10), a request (22M-1) to establish or update a communication session (16) between a first communication device (12-1) and a second communication device (12-2) via the communication network (10), wherein the request (22M-1) indicates a user (12-1 II, 12-211) of the first or the second communication device (12-1 , 12-2) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16); attempting (910) to authenticate the user to the communication network (10); and transmitting (920), to the session controller (18), a message that indicates whether or not the authentication server authenticated the user.

16. The method of claim 15, wherein the request (22M-1) indicates a user (12-1 II) of the first communication device (12-1) must authenticate himself or herself to the communication network (10) as a prerequisite for the first communication device (12-1) to establish any communication session or any communication session of a certain type.

17. The method of claim 16, wherein the request (22M-1) is: a request that originated from the first communication device (12-1) to initiate the communication session (16), and wherein the request indicates a user (12-1 II) of the first communication device (12-1) must authenticate himself or herself to the communication network (10) as a prerequisite for initiating the communication session (16); or a request that originated from the second communication device (12-2) to initiate the communication session (16), and wherein the request indicates a user (12-1 II) of the first communication device (12-1) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing the communication session (16).

18. The method of any one of claims 16-17, further comprising modifying the request (22M- 1) to indicate that the authentication server authenticated the user, and wherein the message is or includes the request (22M-1) as modified.

19. The method of claim 16, wherein the request (22M-1) originated from the first communication device (12-1) and indicates that a user of the second communication device (12-2) must authenticate himself or herself to the communication network (10) as a prerequisite for continuing the communication session (16).

20. The method of any one of claims 16-19, wherein the request (22M-1) indicates a user (12-1 II, 12-211) of the first or the second communication device (12-1 , 12-2) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16), by indicating whether or not a protection mode is activated for the communication session (16), wherein when activated the protection mode requires a user (12-1 II, 12-211) of the first or the second communication device (12-1, 12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing in any communication session or any communication session of a certain type.

21. The method of any one of claims 16-20, wherein the session controller (18) implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, wherein the request (22M-1) is a Session Initiation Protocol, SIP, INVITE or a SIP RE-INVITE, and wherein the subscriber profile (14P) is an IMS user profile.

22. The method of any one of claims 16-21 , wherein the communication session (16) is a voice communication session.

23. The method of any one of claims 16-22, wherein attempting to authenticate the user to the communication network (10) comprises: requesting the user to provide one or more authentication factors proving that the user knows a secret of the subscriber (14), that the user has a device or account of the subscriber (14), and/or that the user has biometric characteristics of the subscribe; receiving the one or more authentication factors from the user; and checking a validity of the one or more authentication factors received.

24. A method performed by a first communication device (12-1), the method comprising: establishing (1000) a communication session (16) between the first communication device (12-1) and a second communication device (12-2) via a communication network (10); after establishing the communication session (16), transmitting (1010), to a session controller (18) in the communication network (10), a request (22) to update the communication session (16) to trigger the communication network (10) to require a user of the second communication device (12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for continuing the communication session (16); and receiving (1020), from the session controller (18), a result of whether or not the communication network (10) authenticated the user of the second communication device (12-2).

25. The method of claim 24, wherein the request (22) to update the communication session (16) is, or includes, a request to activate a protection mode for the communication session (16), wherein when activated for the communication session (16) the protection mode requires a user of the second communication device (12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for continuing in the communication session (16).

26. The method of any one of claims 24-25, wherein the session controller (18) implements a Serving Call Session Control Function, S-CSCF, in an Internet Protocol, IP, Multimedia Subsystem, IMS, and wherein the request (22) is a Session Initiation Protocol, SIP, RE-INVITE.

27. The method of any one of claims 24-26, wherein the communication session (16) is a voice communication session.

28. A method performed by a communication device (12-1), the method comprising: transmitting (1100), to a configuration server (44-1) in a communication network (10), a request (52) that the communication network (10) require a user (12-1 II) of the communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing a communication session (16).

29. The method of claim 28, wherein the communication device (12-1) is associated with a subscriber (14) that has a subscription to the communication network (10), and wherein the request (52) is a request that the communication network (10) configure a subscription profile (14P) for the subscriber (14) to indicate that a user (12-1 II) of the communication device (12-1) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing any communication session or any communication session of a certain type.

30. The method of claim 29, wherein the subscription profile (14P) is an Internet Protocol, IP, Multimedia Subsystem, IMS, User Profile.

31. The method of any one of claims 28-30, wherein the request (52) is a request for the communication network (10) to activate a protection mode for any communication session, or any communication session of a certain type, that the first communication device (12-1) establishes, wherein, when activated, the protection mode requires a user (12-1 II) of the communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for the communication device (12-1) to establish any communication session or any communication session of the certain type.

32. The method of claim 31 , wherein the request (52) further requests the communication network (10) to block data connectivity and/or text messaging for the subscription while the protection mode is activated.

33. The method of any one of claims 28-32, wherein the communication session (16) is a voice communication session.

34. The method of any one of claims 28-33, wherein the communication device (12-1) is associated with a subscriber (14) that has a subscription to the communication network (10), and wherein the request (52) is a request that the communication network (10) require, as a prerequisite for establishing a communication session (16), a user (12-1 II) of the communication device (12-1) to authenticate himself or herself to the communication network (10) with one or more authentication factors proving that the user knows a secret of the subscriber (14), that the user has a device or account of the subscriber (14), and/or that the user has biometric characteristics of the subscriber (14).

35. The method of claim 34, wherein the request (52) indicates which one or more authentication factors are to be required for authentication of the user to the communication network (10).

36. The method of any one of claims 28-35, wherein the configuration server (44-1) is an extensible Markup Language, XML, Configuration Application Protocol, XCAP, server.

37. A method performed by a network node (44) in a communication network (10), the method comprising: receiving (1200) a request (52) that the communication network (10) require a user (12- 1 U) of a communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing a communication session (16).

38. The method of claim 37, wherein the communication device (12-1) is associated with a subscriber (14) that has a subscription to the communication network (10), and wherein the request (52) is a request that the communication network (10) provision a subscription profile (14P) for the subscriber (14) to indicate that a user (12-1 II) of the communication device (12-1) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing any communication session or any communication session of a certain type.

39. The method of claim 38, wherein the subscription profile (14P) is an Internet Protocol, IP, Multimedia Subsystem, IMS, user profile.

40. The method of any one of claims 37-39, wherein the request (52) is a request for the communication network (10) to activate a protection mode for any communication session, or any communication session of a certain type, that the communication device (12-1) establishes, wherein, when activated, the protection mode requires a user (12-1 II) of the communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for the communication device (12-1) to establish any communication session or any communication session of the certain type.

41. The method of claim 40, wherein the request (52) further requests the communication network (10) to block data connectivity and/or text messaging for the subscription while the protection mode is activated.

42. The method of any one of claims 37-41, wherein the communication session (16) is a voice communication session.

43. The method of any one of claims 37-42, wherein the communication device (12-1) is associated with a subscriber (14) that has a subscription to the communication network (10), and wherein the request (52) is a request that the communication network (10) require, as a prerequisite for establishing a communication session (16), a user (12-1 II) of the communication device (12-1) to authenticate himself or herself to the communication network (10) with one or more authentication factors proving that the user knows a secret of the subscriber (14), that the user has a device or account of the subscriber (14), and/or that the user has biometric characteristics of the subscriber (14).

44. The method of claim 43, wherein the request (52) indicates which one or more authentication factors are to be required for authentication of the user (12-1 II) to the communication network (10).

45. The method of any one of claims 37-44, wherein the network node (44) serves as a configuration server (44-1), wherein the configuration server (44-1) is an extensible Markup Language, XML, Configuration Application Protocol, XCAP, server.

46. The method of any one of claims 37-45, further comprising: deciding whether or not to accept the request (52), based on a syntax validity of the request (52) and/or conditions in the communication network (10); and based on deciding to accept the request (52), propagating the request (52) to a subscriber profile management server (44-2) in the communication network (10).

47. The method of any one of claims 37-44, wherein the network node (44) serves as a subscriber profile management server (44-2).

48. The method of claim 47, wherein the communication device (12-1) is associated with a subscriber (14) that has a subscription to the communication network (10), and wherein the method further comprises provisioning a subscription profile (14P) for the subscriber (14) to indicate that a user (12-1 U) of the communication device (12-1) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing any communication session or any communication session of a certain type.

49. The method of claim 48, further comprising checking whether or not the subscriber (14) is authorized to make the request (52), wherein said provisioning is performed based on the subscriber (14) being authorized to make the request (52).

50. A method performed by a policy control server (62) in a communication network (10), the method comprising: receiving (1300), from a data repository (19) in the communication network (10), information indicating: whether or not a protection mode is activated for a subscriber (14) that has a subscription to the communication network (10), wherein, when activated, the protection mode requires a user (12-1 U) of a communication device (12-1) associated with the subscription to authenticate himself or herself to the communication network (10) as a prerequisite for the communication device (12-1) to establish or continue any communication session or any communication session of the certain type; and/or whether or not the communication network (10) is to block data connectivity and/or text messaging for the subscription while the protection mode is activated; and while the protection mode is activated for the subscription, blocking or allowing (1310) data connectivity and/or text messaging for the subscription according to the received information.

51. The method of claim 50, wherein the information indicates that the protection mode is activated for the subscriber (14) and that the communication network (10) is to block data connectivity for the subscription while the protection mode is activated, and wherein said blocking comprises, responsive to receiving the information, tearing down any existing data connections for the subscription.

52. A session controller (18) in a communication network (10), the session controller (18) configured to: receive a request (22) to establish or update a communication session (16) between a first communication device (12-1) and a second communication device (12-2) via the communication network (10); obtain a subscriber profile (14P) for a subscriber (14) that is associated with the first communication device (12-1) and that has a subscription to the communication network (10); make a decision, based on the subscriber profile (14P), whether or not to require a user (12-1 II, 12-211) of the first or the second communication device (12-1 , 12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16) according to the request (22); and control establishment or continuation of the communication session (16) to require, or not require, authentication of the user (12-1 II, 12-211), according to the decision.

53. The session controller (18) of claim 52, configured to perform the method of any one of claims 2-14.

54. An authentication server (20) in a communication network (10), the authentication server (20) configured to: receive, from a session controller (18) in the communication network (10), a request (22M-1) to establish or update a communication session (16) between a first communication device (12-1) and a second communication device (12-2) via the communication network (10), wherein the request (22M-1) indicates a user (12- 1 U, 12-211) of the first or the second communication device (12-1, 12-2) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16); attempt to authenticate the user (12-1 II, 12-211) to the communication network (10); and transmit, to the session controller (18), a message that indicates whether or not the authentication server (20) authenticated the user.

55. The authentication server of claim 54, configured to perform the method of any one of claims 16-23.

56. A first communication device (12-1) configured to: establish a communication session (16) between the first communication device (12-1) and a second communication device (12-2) via a communication network (10); after establishing the communication session (16), transmit, to a session controller (18) in the communication network (10), a request (22) to update the communication session (16) to trigger the communication network (10) to require a user (12-211) of the second communication device (12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for continuing the communication session (16); and receive, from the session controller (18), a result of whether or not the communication network (10) authenticated the user (12-211) of the second communication device (12-2).

57. The first communication device (12-1) of claim 56, configured to perform the method of any one of claims 25-27.

58. A communication device (12-1) configured to: transmit, to a configuration server (44-1) in a communication network (10), a request (52) that the communication network (10) require a user (12-1 II) of the communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing a communication session (16).

59. The communication device of claim 58, configured to perform the method of any one of claims 29-36.

60. A network node (44) in a communication network (10), the network node (44) configured to: receive a request (52) that the communication network (10) require a user (12-1 II) of a communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing a communication session (16).

61. The network node of claim 60, configured to perform the method of any one of claims 38-49.

62. A policy control server (62) in a communication network (10), the policy control server (62) configured to: receive, from a data repository (19) in the communication network (10), information indicating: whether or not a protection mode is activated for a subscriber (14) that has a subscription to the communication network (10), wherein, when activated, the protection mode requires a user (12-1 II) of a communication device (12-1) associated with the subscription to authenticate himself or herself to the communication network (10) as a prerequisite for the communication device (12-1) to establish or continue any communication session or any communication session of the certain type; and/or whether or not the communication network (10) is to block data connectivity and/or text messaging for the subscription while the protection mode is activated; and while the protection mode is activated for the subscription, block or allow data connectivity and/or text messaging for the subscription according to the received information.

63. The policy control server of claim 62, wherein the information indicates that the protection mode is activated for the subscriber (14) and that the communication network (10) is to block data connectivity for the subscription while the protection mode is activated, and wherein said blocking comprises, responsive to receiving the information, tearing down any existing data connections for the subscription.

64. A computer program comprising instructions which, when executed by at least one processor of a session controller (18) in a communication network (10), causes the session controller (18) to perform the method of any one of claims 1-14.

65. A computer program comprising instructions which, when executed by at least one processor of an authentication server (20) in a communication network (10), causes the authentication server (20) to perform the method of any one of claims 15-23.

66. A computer program comprising instructions which, when executed by at least one processor of a first communication device (12-1), causes the first communication device (12-1) to perform the method of any one of claims 24-27.

67. A computer program comprising instructions which, when executed by at least one processor of a communication device (12-1), causes the communication device (12-1) to perform the method of any one of claims 28-36.

68. A computer program comprising instructions which, when executed by at least one processor of a network node (44) in a communication network (10), causes the network node (44) to perform the method of any one of claims 37-49.

69. A computer program comprising instructions which, when executed by at least one processor of a policy control server (62) in a communication network (10), causes the policy control server (62) to perform the method of any one of claims 50-51.

70. A carrier containing the computer program of any of claims 64-69, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

71. A session controller (18) in a communication network (10), the session controller (18) comprising: communication circuitry (1520); and processing circuitry (1510) configured to: receive a request (22) to establish or update a communication session (16) between a first communication device (12-1) and a second communication device (12-2) via the communication network (10); obtain a subscriber profile (14P) for a subscriber (14) that is associated with the first communication device (12-1) and that has a subscription to the communication network (10); make a decision, based on the subscriber profile (14P), whether or not to require a user (12-1 II, 12-211) of the first or the second communication device (12-1, 12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16) according to the request; and control establishment or continuation of the communication session (16) to require, or not require, authentication of the user (12-1 II, 12-211), according to the decision.

72. The session controller (18) of claim 71, the processing circuitry (1510) configured to perform the method of any one of claims 2-14.

73. An authentication server (20) in a communication network (10), the authentication server (20) comprising: communication circuitry (1620); and processing circuitry (1610) configured to: receive, from a session controller (18) in the communication network (10), a request (22M-1) to establish or update a communication session (16) between a first communication device (12-1) and a second communication device (12-2) via the communication network (10), wherein the request (22M-1) indicates a user (12-1 II, 12-211) of the first or the second communication device (12-1, 12-2) must authenticate himself or herself to the communication network (10) as a prerequisite for establishing or continuing the communication session (16); attempt to authenticate the user (12-1 II, 12-211) to the communication network (10); and transmit, to the session controller (18), a message (22M-2, 31) that indicates whether or not the authentication server authenticated the user.

74. The authentication server of claim 73, the processing circuitry (1610) configured to perform the method of any one of claims 16-23.

75. A first communication device (12-1) comprising: communication circuitry; (1420) and processing circuitry (1410) configured to: establish a communication session (16) between the first communication device (12-1) and a second communication device (12-2) via a communication network (10); after establishing the communication session (16), transmit, to a session controller (18) in the communication network (10), a request (22) to update the communication session (16) to trigger the communication network (10) to require a user of the second communication device (12-2) to authenticate himself or herself to the communication network (10) as a prerequisite for continuing the communication session (16); and receive, from the session controller (18), a result of whether or not the communication network (10) authenticated the user of the second communication device (12-2).

7Q. The first communication device (12-1) of claim 75, the processing circuitry (1410) configured to perform the method of any one of claims 25-27.

77. A communication device (12-1) comprising: communication circuitry (1420); and processing circuitry (1410) configured to transmit, to a configuration server in a communication network (10), a request (52) that the communication network (10) require a user (12-1 II) of the communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing a communication session (16).

78. The communication device of claim 77, the processing circuitry (1410) configured to perform the method of any one of claims 29-36.

79. A network node (44) in a communication network (10), the network node (44) comprising: communication circuitry (1720); and processing circuitry (1710) configured to receive a request (52) that the communication network (10) require a user (12-1 II) of a communication device (12-1) to authenticate himself or herself to the communication network (10) as a prerequisite for establishing a communication session (16).

80. The network node of claim 79, the processing circuitry (1710) configured to perform the method of any one of claims 38-49.

81. A policy control server (62) in a communication network (10), the policy control server (62) comprising: communication circuitry (1820); and processing circuitry (1810) configured to: receive, from a data repository (19) in the communication network (10), information indicating: whether or not a protection mode is activated for a subscriber (14) that has a subscription to the communication network (10), wherein, when activated, the protection mode requires a user (12-1 II) of a communication device (12-1) associated with the subscription to authenticate himself or herself to the communication network (10) as a prerequisite for the communication device (12-1) to establish or continue any communication session or any communication session of the certain type; and/or whether or not the communication network (10) is to block data connectivity and/or text messaging for the subscription while the protection mode is activated; and while the protection mode is activated for the subscription, block or allow data connectivity and/or text messaging for the subscription according to the received information.

82. The policy control server of claim 81 , wherein the information indicates that the protection mode is activated for the subscriber (14) and that the communication network (10) is to block data connectivity for the subscription while the protection mode is activated, and wherein said blocking comprises, responsive to receiving the information, tearing down any existing data connections for the subscription.