The OpenID Foundation welcomes the publication of a new whitepaper from the FIDO Alliance that examines how FIDO authentication and the Shared Signals Framework (SSF) work together to address enterprise security challenges.

We recognize the significant effort by the FIDO Enterprise Deployment Working Group to illustrate how aligned our specifications are, and we welcome the opportunity to partner on future versions of this whitepaper and any implementer guides. This work will evolve as our respective specifications evolve, and tangible expert guidance from this FIDO report will help accelerate industry adoption and realize the benefits of these complementary security standards.

Beyond authentication to continuous security evaluation

Many enterprise identity and access management systems operate independently, which limits visibility across platforms. FIDO protocols address one part of this challenge by providing strong phishing resistant authentication using public key cryptography to eliminate password vulnerabilities. But authentication is just the first step. Organizations also need continuous visibility into session status and emerging security risks after users log in.

This is where the SSF comes in. It enables secure, real-time exchange of identity and security events across different systems and vendors. These events include risk signals, credential compromise notifications, and session revocations. When organizations integrate FIDO authentication with SSF protocols - Continuous Access Evaluation Protocol (CAEP) and Risk Incident Sharing and Coordination (RISC) - they can make timely, informed decisions throughout the user session lifecycle.

Practical applications

The paper describes practical applications across the user lifecycle, from onboarding and role changes to offboarding and account recovery. Organizations can use shared signals to automatically disable compromised accounts, strengthen step-up authentication when higher security is needed, and improve federated login with better session monitoring. SSF creates a common language for security events, allowing different systems to share information and coordinate responses even across organizational boundaries.

Industry adoption and testing resources

“Security doesn't end at login, and this whitepaper illustrates how FIDO and Shared Signals work as complementary pieces of a comprehensive security strategy. FIDO gets you in the door securely, and SSF ensures you maintain the right level of access throughout your entire session. Together, they enable the zero standing privilege architectures that enterprises need to defend against today's sophisticated identity-based attacks, ” said Atul Tulshibagwale, co-chair of the OpenID Foundation’s Shared Signals Working Group.

Apoorva Deshpande, an editor of the FIDO paper and contributor to the OpenID Foundation’s Shared Signals Working Group, said “FIDO has provided the gold standard for strong, phishing-resistant authentication at the front door. The OpenID Shared Signal Framework secures the entire session with continuous and real-time signals. This powerful combination enables disparate systems to work in concert, automates responses, and instantly revokes access when risk is detected, building a truly collaborative, signal-driven security architecture for the future.”

The OpenID Foundation encourages organizations to implement FIDO and Shared Signals specifications. To support this effort, draft open-source test suites for Shared Signals are now freely available to help organizations validate their implementations. Users should note that when creating a test plan, they will need to enable the "show early version tests" in order to access the SSF test plans.

Thomas Darimont from the OpenID Foundation’s Certification Team added: “The Shared Signals Framework tests, as part of the OpenID Conformance Testsuite, are built to help implementers validate SSF transmitter and receiver interoperability and strengthen their integrations with confidence. We encourage everyone building on SSF to use these tests early and often and to share feedback, so we can continue improving the ecosystem together.”

Feedback on the specifications are welcome from implementers to the OpenID Foundation's certification team at: certification@oidf.org.  

Later this year, the OpenID Foundation will make self-certification to shared signals specifications available to implementers for self-certification at modest fees, and with discounts to members. Developers can build to the tests and prove out their implementations and demonstrate conformance to others.  

Shared signals demo at FIDO Authenticate

At FIDO Authenticate this week, attendees observed the shared signals in action. More on the findings from this demonstration, the fourth interop on shared signals in two years, will be shared separately. 

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.