OpenID Foundation sets new standards for real-time security event sharing
The OpenID Foundation (OIDF) has approved three Final Specifications, establishing the first global standards for real-time security event sharing across digital identity systems.
The approved Final Specifications are:
- OpenID Shared Signals Framework 1.0 – Enables secure, real-time delivery of security events between any connected systems
- OpenID Continuous Access Evaluation Profile (CAEP) 1.0 – Defines how systems communicate session changes to maintain continuous security
- OpenID Risk Information Sharing and Coordination (RISC) 1.0 – Establishes standards for sharing account security changes between services
Why these standards are important
These specifications solve a critical gap that has left organizations vulnerable during the extended periods between user logins. Systems relying on federated identity had no way to receive security updates after initial login. Sessions often last days or weeks, during which user locations, device compliance, or organizational access may change dramatically. Organizations were forced to choose between disrupting users with constant re-authentication requests or accepting substantial security risks from outdated login information.
These standards create an ecosystem where security systems can instantly communicate threats across organizational boundaries. Enterprise device management systems can notify all connected services when a user’s device becomes non-compliant or compromised, while cybersecurity threat detection platforms can share intelligence about suspicious activities in real-time. Identity providers can immediately broadcast alerts about credential compromises or account takeovers, and applications can report anomalous user behaviour patterns to the broader security ecosystem.
“This coordinated approach makes zero trust security architectures practically achievable at global scale, where security decisions are continuously evaluated based on current, real-time information rather than outdated login credentials,” said Atul Tulshibagwale, co-chair of the OpenID Foundation’s Shared Signals Working Group.
“For financial services institutions, healthcare organizations, government agencies, and other security critical sectors, these specifications provide the standardized foundation needed to implement comprehensive zero trust security architectures and continuous access evaluation policies across their entire digital infrastructure.”
Significance of ‘Final Specification’ status
The OpenID Foundation’s approval establishes the specifications as the definitive global standard for continuous identity security, providing the foundation for protecting billions of users worldwide. The designation as Final Specifications provides crucial intellectual property protections and guarantees these standards will not undergo further revision.
The OpenID Foundation’s membership represents organizations responsible for protecting billions of user identities worldwide. Major technology leaders, including Apple, IBM, Okta, and others, have already adopted these protocols.
Gail Hodges, the OpenID Foundations’ Executive Director, said: “The fact that the first three specifications in the Shared Signals family are Final is a material milestone in the adoption of the specification. This status unlocks the ability of many governments to adopt the specifications, and encourages many CTOs and CISOs that the specifications are completely stable and ready for adoption. The OIDF recognizes all the countless hours the Shared Signals WG cochairs, contributors, and implementers have played in conceiving, maturing and now scaling this family of specifications, specifications we perceive as vital to the health of identity and security ecosystems globally.”