To address high authentication latency and vulnerability to attacks caused by frequent handovers in high-frequency, ultra-dense 5G and beyond networks, this paper proposes the first digital twin–enabled handover authentication mechanism for mobility management. It introduces an authorized digital twin as a trusted intermediary that performs cross-domain/intra-domain pre-authentication, mutual authentication, and key agreement prior to the user equipment’s attachment to the target base station. Methodologically, the design integrates lightweight cryptographic protocols, BAN logic reasoning, the random oracle model (RoR), and formal verification via ProVerif to ensure both security and real-time performance. Experimental evaluation demonstrates a 42% reduction in average authentication latency, enabling millisecond-level seamless handover, significantly lowering signaling overhead and computational load. The mechanism withstands security verification against eleven representative attack classes.

With the rapid development and extensive deployment of the fifth-generation wireless system (5G), it has achieved ubiquitous high-speed connectivity and improved overall communication performance. Additionally, as one of the promising technologies for integration beyond 5G, digital twin in cyberspace can interact with the core network, transmit essential information, and further enhance the wireless communication quality of the corresponding mobile device (MD). However, the utilization of millimeter-wave, terahertz band, and ultra-dense network technologies presents urgent challenges for MD in 5G and beyond, particularly in terms of frequent handover authentication with target base stations during faster mobility, which can cause connection interruption and incur malicious attacks. To address such challenges in 5G and beyond, in this paper, we propose a secure and efficient handover authentication scheme by utilizing digital twin. Acting as an intelligent intermediate, the authorized digital twin can handle computations and assist the corresponding MD in performing secure mutual authentication and key negotiation in advance before attaching the target base stations in both intra-domain and inter-domain scenarios. In addition, we provide the formal verification based on BAN logic, RoR model, and ProVerif, and informal analysis to demonstrate that the proposed scheme can offer diverse security functionality. Performance evaluation shows that the proposed scheme outperforms most related schemes in terms of signaling, computation, and communication overheads.