Shared Signals: Who Pays the Price for Stronger Identity?
What if fraud prevention was, you know, a shared effort? That’s where the Shared Signals Framework (SSF) comes in! The idea behind shared signals is simple: instead of each company detecting threats on its own, organizations (or systems within an organization) can share security events—like compromised credentials or suspicious logins—in real-time. The SSF, developed by the OpenID Foundation, is designed to make this happen, enabling faster fraud response, better risk assessment, and improved user security across platforms.
The promise of shared signals is real-time fraud detection and better security. But here’s the catch—every signal costs money. And in a world where cloud services charge per API call, this ‘stronger security’ might come with a hefty price tag. So, who actually pays for all this? And is it worth it?
Over the next few weeks, I’ll be diving deeper into the consumer identity and access management (CIAM) space, exploring which standards are—or should be—most influential. It may seem like a bit of a jump from where I started the year, but it makes sense in my head. I started by focusing on Non-Human Identity (NHI); that was a continuation from last year. But that led me to AgenticAI and whether we can differentiate online between AI’s and humans. It’s just a hop, skip, and a jump from there right into AI-enabled fraud, which is solidly in the sphere of CIAM. But thinking about fraud, authentication, and so on, is what leads to to today’s focus: how to effectively signal when something has gone horribly wrong.
And that’s where the SSF comes in.
What Is the Shared Signals Framework (SSF)?
The SSF is an emerging standard from the OpenID Foundation designed to facilitate real-time sharing of security events between organizations. Instead of each service defending against threats in isolation, SSF enables collaborative security—a switchboard where different organizations share security events to build a stronger defense against fraud and cyber threats.
The Continuous Access Evaluation Profile (CAEP), part of SSF, takes this a step further. It allows organizations to continuously assess access permissions in real-time, responding to changes like credential compromise or session revocation without waiting for a traditional token expiration.
Shared Signals is one of the more interesting standards to watch in Consumer IAM—but where is it actually gaining traction? If you’re keeping an eye on vendor adoption or wondering how the standards process could shape its future, I can help you make sense of what’s happening. 👉 See how I work or Let’s talk.
If you’d like to learn more about SSF and CAEP, the Identity Defined Security Alliance has a great video for you.
The Cost-Security Dilemma in CIAM
While SSF promises improved security, there’s a major challenge: cost. In a cloud-based CIAM model, every API call costs money. Implementing SSF and CAEP means a significant increase in API calls, leading to higher cloud service expenses. Organizations must balance these costs against the need for robust security, which is no small feat.
| Factor | Stronger Security (Shared Signals) | Lower Cost (Traditional CIAM) |
|---|---|---|
| Threat Detection | Immediate, real-time responses | Delayed, batch-based reviews |
| Fraud Prevention | High (shared risk signals) | Lower (limited to local detection) |
| API Costs | High (constant event updates) | Lower (fewer real-time calls) |
| Privacy Concerns | More data sharing | Less cross-platform exposure |
| Adoption Barrier | Expensive for smaller orgs | More affordable, but riskier |
Why This Matters for CIAM
SSF and CAEP offer real benefits for consumer IAM, but they also raise some tough questions:
- Stronger Security: Real-time event sharing means faster responses to security threats. If a user’s credentials are compromised on one platform, other connected services can take action immediately.
- Better User Experience: CAEP reduces the need for frequent re-authentication while maintaining security.
- Alignment with Zero Trust: These protocols ensure that access decisions are always based on the latest security signals.
However, there are also real concerns:
- Skyrocketing API Costs: The more signals you share, the more you pay.
- Data Privacy & Compliance: Sharing security events involves sensitive user data, requiring strict privacy controls.
- Trust Issues: Why should one organization trust another’s signals? What if bad actors inject false signals into the system?
Potential Solutions for CIAM
So how do we keep the security benefits without the runaway costs? A few approaches might help:
- Prioritize filtering high-risk events to reduce unnecessary API costs.
- Implement machine learning-driven fraud detection to reduce unnecessary security event generation, ensuring Shared Signals are only triggered for high-risk activities.
- Move away from centralized cloud services in order to distribute the load and reduce costs.
- Explore cost-sharing with industry consortiums to lower API expenses..
Can CIAM Trust Shared Signals?
One of the biggest concerns with real-time event sharing is trust. Imagine an attacker compromises a user’s account on Platform A. If Platform A sends an immediate “compromised account” signal to Platform B, Platform B could block access before damage is done. Yay! But what if attackers send fake signals to lock out legitimate users? Or flood the system with false alerts to create chaos? This is why trust—and verification—are critical in Shared Signals adoption.
To prevent abuse, SSF includes security measures like:
- Authentication & Authorization: Using OAuth to ensure only trusted entities can send or receive events.
- Event Verification: Security Event Tokens (SETs) are digitally signed JWTs, allowing receivers to verify authenticity.
- Stream Management: Organizations control which signals they subscribe to, reducing exposure to irrelevant or malicious events.
- Mutual Agreements: Organizations define rules and expectations for shared events, limiting abuse potential.
The Future of SSF and CAEP
Right now, SSF is still in an implementer’s draft stage, meaning there’s room for improvement before it becomes a full standard. The OpenID Foundation’s working group continues to refine the framework, considering real-world challenges like API costs and error handling.
For CIAM providers, the key takeaway is this: SSF and CAEP are powerful tools, but they come with trade-offs. Finding the right balance between security, cost, and trust will determine whether these standards become game-changers or just another expensive security upgrade.
What do you think—should companies embrace real-time shared signals, or do the risks outweigh the benefits?
🔹 Want more posts like this? Subscribe and get new insights delivered straight to your inbox.
One thought on “Shared Signals: Who Pays the Price for Stronger Identity?”
Hi Heather,
An interesting question. But a bit too much FUD (fear, uncertainty, doubt) in your article.
Keep in mind that CAEP is predominantly about signals for established sessions. If you’re going to “invest” into one or more API calls for establishing a session, do you really think it would be too expensive to also ‘invest” into another API call or so relating to a signal received for that session that you’ve already ‘invested” at least one API call with?
I don’t think so. Especially since this really ups the ante.