Information-theoretically secure (ITS) authentication is needed in quantum key distribution (QKD). In this paper, we study security of an ITS authentication scheme proposed by Wegman & Carter, in the case of partially known authentication key. This scheme uses a new authentication key in each authentication attempt, to select a hash function from an Almost Strongly Universal $$_2$$ 2 hash function family. The partial knowledge of the attacker is measured as the trace distance between the authentication key distribution and the uniform distribution; this is the usual measure in QKD. We provide direct proofs of security of the scheme, when using partially known key, first in the information-theoretic setting and then in terms of witness indistinguishability as used in the universal composability (UC) framework. We find that if the authentication procedure has a failure probability $$\varepsilon $$ ε and the authentication key has an $$\varepsilon ^{\prime }$$ ε ′ trace distance to the uniform, then under ITS, the adversary’s success probability conditioned on an authentic message-tag pair is only bounded by $$\varepsilon +|\mathcal T |\varepsilon ^{\prime }$$ ε + | T | ε ′ , where $$|\mathcal T |$$ | T | is the size of the set of tags. Furthermore, the trace distance between the authentication key distribution and the uniform increases to $$|\mathcal T |\varepsilon ^{\prime }$$ | T | ε ′ after having seen an authentic message-tag pair. Despite this, we are able to prove directly that the authenticated channel is indistinguishable from an (ideal) authentic channel (the desired functionality), except with probability less than $$\varepsilon +\varepsilon ^{\prime }$$ ε + ε ′ . This proves that the scheme is ( $$\varepsilon +\varepsilon ^{\prime }$$ ε + ε ′ )-UC-secure, without using the composability theorem.