Grant-free　multiple　access　is　a　critical　mechanism　introduced　in　5G　new　radio　(NR)　to　support　ultra-reliable　low-latency　communication　(URLLC)　services.　Pilot　authentication　(PA)　is　a　key　security　mechanism　to　guarantee　reliable　performance　of　grant-free　URLLC.　However,　PA　can　be　easily　paralyzed　by　pilot-aware　attack　since　pilot　signals　are　usually　publicly　known,　and　unprotected.　To　solve　this,　we　develop　the　concatenated　graph　coding　(CGC)　theory　by　which　time-frequency　resources　on　bandwidth　part　(BWP)　can　be　encoded　flexibly　to　protect　PA　securely.　Particularly,　we　use　bipartite　graph,　and　multigraph　theory　to　model　PA　on　BWP　as　transmission,　and　retrieval　of　pilot　(TRP).　Each　transmitter　in　the　uplink　needs　transmit　a　unique　random　pilot　sequence　as　subcarrier　activation　pattern　(SAP)　on　BWP.　After　observing　SAPs　from　multiple　transmitters,　the　receiver　decodes　a　pilot　sequence　of　interest,　and　tests　its　authenticity.　The　retrievability　of　authentic　pilots　is　defined,　and　formulated　analytically.　We　also　derive　the　analytical　closed-form　expression　of　system　failure　probability,　and　accessibility　in　the　regime　of　large-scale　antenna　arrays,　and　short　data　packets.　Interestingly,　we　find　that　four　trade-offs　exist:　retrievability-latency,　retrievability-accessibility,　reliability-latency,　and　reliability-accessibility.　Simulation　results　show　the　security　advantage　of　our　proposed　theory　in　grant-free　URLLC　system.　©　2020　IEEE.