OpenID approves 3 standards for sharing real-time digital identity security signals

Three standards for real-time digital identity security event sharing are now Final Specifications, after their approval by the OpenID Foundation.

OpenID’s Shared Signals Framework 1.0, Continuous Access Evaluation Profile (CAEP) 1.0 and Risk Information Sharing and Coordination (RISC) 1.0 have been fixed against further revision and given intellectual property protections with the designation.

The Shared Signals Framework enables connected systems to deliver real-time information on security events. CAEP “defines how systems communicate session changes to maintain continuous security. RISC sets the standards for services to share account security changes.

Together, the organization says they address a critical security gap left during open sessions and between logins. A lack of security updates in federated identity systems previously forced organizations to choose between increasing friction with reauthentication requests or accepting the security vulnerabilities of outdated login information. Now, enterprise device management systems can notify connected services when a user’s device is no longer compliant, or has been compromised. Cybersecurity platforms can share threat detection intelligence as they collect it, and data on anomalous user information can be shared between partners.

“This coordinated approach makes Zero Trust security architectures practically achievable at global scale, where security decisions are continuously evaluated based on current, real-time information rather than outdated login credentials,” says Sgnl CTO Atul Tulshibagwale, who is co-chair of the OpenID Foundation’s Shared Signals Working Group.

“For financial services institutions, healthcare organizations, government agencies, and other security critical sectors, these specifications provide the standardized foundation needed to implement comprehensive Zero Trust security architectures and continuous access evaluation policies across their entire digital infrastructure.”

Sgnl was one of nine participants at the Gartner Identity and Access Management (IAM) Summit in London earlier this year to showcase implementations of the Shared Signals Framework and CAEP. The others included Google, IBM, Okta, Omnissa, Relock, SailPoint, Thales and Beyond Identity.

OpenID Foundation ED Gail Hodges calls the finalization of the three specs “a material milestone in the adoption of the specification. This status unlocks the ability of many governments to adopt the specifications, and encourages many CTOs and CISOs that the specifications are completely stable and ready for adoption.”

An interoperability test of the OpenID for Verifiable Credential Issuance specification was successfully completed in July, showing credentials from different issuers interoperating with digital wallets from several providers.

Article Topics

cybersecurity  |  digital identity  |  identity access management (IAM)  |  OpenID Foundation  |  shared signals  |  standards