OpenID launches first global standards for real-time security alerts

The OpenID Foundation has approved three new specifications creating the first global standards for real-time security event sharing across digital identity systems.

The finalisation of these standards enables the immediate sharing of security threats across connected systems, addressing a significant vulnerability that has affected organisations in numerous sectors for years. Until now, systems that relied upon federated identity were unable to transmit security updates after a user's initial login, leaving sessions potentially exposed for days or weeks as user roles, device compliance, or threat environments changed.

The three new specifications are the OpenID Shared Signals Framework 1.0, the OpenID Continuous Access Evaluation Profile (CAEP) 1.0, and OpenID Risk Information Sharing and Coordination (RISC) 1.0. Together, these frameworks define how real-time security event information is exchanged, how systems can communicate changes in session states, and establish protocols for sharing account-level security issues between different services.

Specification details

The OpenID Shared Signals Framework 1.0 enables the secure, real-time delivery of security events between connected systems. This supports situations in which, for example, a device management system needs to alert other systems that a device is non-compliant or compromised.

The OpenID Continuous Access Evaluation Profile (CAEP) 1.0 sets out a method for systems to notify each other of changes to user session status, supporting the goal of continuous security monitoring. With this in place, access levels and session validity can be kept up to date based on real-time information rather than fixed login events.

OpenID RISC 1.0 establishes how different services can coordinate the sharing of account security changes, such as when credentials are compromised or a suspected account takeover is detected.

Addressing long-standing security gaps

The lack of such standards has forced organisations to make difficult security choices. Either they repeatedly prompted users to re-authenticate - disrupting workflow and user experience - or they accepted greater risk by allowing sessions to persist unchanged, even as a user's situation or device might have become compromised.

The new global standards will allow swift, coordinated security responses across widely distributed digital services. For example, alerts about unusual or high-risk behaviour can be shared instantly between trusted parties, and action can be taken without delay to mitigate any threats identified.

"This coordinated approach makes Zero Trust security architectures practically achievable at global scale, where security decisions are continuously evaluated based on current, real-time information rather than outdated login credentials.

"For financial services institutions, healthcare organizations, government agencies, and other security critical sectors, these specifications provide the standardized foundation needed to implement comprehensive Zero Trust security architectures and continuous access evaluation policies across their entire digital infrastructure."

These statements were made by Atul Tulshibagwale, CTO at SGNL and co-chair of the OpenID Foundation's Shared Signals Working Group, who led the development of the specifications.

Significance of the 'Final Specification' status

The OpenID Foundation's designation of these specifications as Final is significant for their long-term adoption. This designation means the standards are now stable and will not be further revised, affording organisations legal protections and the confidence to move forward with widespread, large-scale deployments.

The Foundation's membership includes major technology firms such as Apple, IBM, and Okta, reflective of a collective responsibility for protecting billions of user identities worldwide. Several of these organisations have already adopted the protocols.

"The fact that the first three specifications in the Shared Signals family are Final is a material milestone in the adoption of the specification. This status unlocks the ability of many governments to adopt the specifications, and encourages many CTOs and CISOs that the specifications are completely stable and ready for adoption. The OIDF recognizes all the countless hours the Shared Signals WG cochairs, contributors, and implementers have played in conceiving, maturing and now scaling this family of specifications, specifications we perceive as vital to the health of identity and security ecosystems globally."

Gail Hodges, Executive Director of the OpenID Foundation, highlighted the importance of the stability and maturity represented by the Final Specification status in supporting worldwide adoption, including by governments.

The approval and release of these global standards lay the foundation for enhanced, real-time security coordination for sectors such as financial services, healthcare, and government, and are expected to benefit billions of users globally.