OpenID Establishes Three Key Standards for Digital Identity Security

Three important standards aimed at enhancing real-time digital identity security have been officially approved by the OpenID Foundation. The standards, comprising the Shared Signals Framework 1.0, Continuous Access Evaluation Profile (CAEP) 1.0, and Risk Information Sharing and Coordination (RISC) 1.0, are now designated as Final Specifications. This status confirms their stability and protects their intellectual property, paving the way for broader adoption across various sectors.

These specifications enable connected systems to share real-time information about security events, addressing a significant gap in security processes. The Shared Signals Framework defines how systems communicate session changes to ensure continuous security, while CAEP establishes standards for sharing account security modifications. Together, they provide a cohesive solution for managing security during open sessions and between logins.

Previously, federated identity systems forced organizations into a difficult choice: increase friction with frequent reauthentication requests or accept the vulnerabilities associated with outdated login information. With these new standards, enterprise device management systems can now alert connected services when a user’s device is non-compliant or has been compromised. Furthermore, cybersecurity platforms can share real-time threat intelligence and data regarding anomalous user behavior among partners.

Atul Tulshibagwale, Chief Technology Officer at Sgnl and co-chair of the OpenID Foundation’s Shared Signals Working Group, emphasized the significance of this coordinated approach. He stated, “This coordinated approach makes Zero Trust security architectures practically achievable at global scale, where security decisions are continuously evaluated based on current, real-time information rather than outdated login credentials.” This development holds particular relevance for sectors that prioritize security, such as financial services, healthcare, and government agencies.

The announcement came during the Gartner Identity and Access Management (IAM) Summit held in London earlier this year, where Sgnl was among nine participants showcasing implementations of the Shared Signals Framework and CAEP. Other notable participants included Google, IBM, Omnissa, Relock, SailPoint, and others.

Gail Hodges, Executive Director of the OpenID Foundation, described the finalization of these specifications as “a material milestone in the adoption of the specification.” She highlighted that this status facilitates the ability of multiple governments to embrace the specifications and reassures Chief Technology Officers (CTOs) and Chief Information Security Officers (CISOs) about their readiness for implementation.

In a related development, an interoperability test of the OpenID for Verifiable Credential Issuance specification was successfully completed in July 2023. This test demonstrated the seamless interaction of credentials from various issuers with digital wallets from multiple providers, further solidifying the foundation for secure digital identity management.

As organizations increasingly adopt these standards, the landscape of digital identity security is set to transform, making real-time security updates a standard practice rather than an exception.