The Standards Making Identity Security Better: A 2025 Review

Identity Is Only as Strong as the Standards Behind It

We’ve entered a new era of identity-first security, where authentication alone is no longer enough. With session hijacking, token theft, and lateral movement on the rise, modern enterprises need identity systems that are not only smart but dynamic, interoperable, and enforceable at runtime.

The identity and security ecosystem is responding and over the last few years, we’ve seen new and evolving standards that aim to solve gaps in session continuity, token binding, and risk response.

In this post, we touch on  four of the most promising standards in identity security today:

• Continuous Access Evaluation Profile (CAEP) and the Shared Signals Framework (SSF)
• Demonstrating Proof of Possession (DPoP) for OAuth
• IPSIE, a proposed wrapper standard introduced by Okta
• Device Bound Session Credentials (DBSC)

We’ll summarize what each standard does, why it matters, where adoption stands, and how they might converge into a stronger, standards-based identity fabric for enterprises.

Continuous Access Evaluation Profile (CAEP) and Shared Signals Framework (SSF)

Problem: Sessions don’t react to changing risk.
Once a user is authenticated, their session typically persists, regardless of changes in device posture, user behavior, or contextual risk.

Solution: CAEP + SSF enables session re-evaluation in near real time.

• CAEP, developed through the OpenID Foundation, defines a set of signals and response types that identity providers (IdPs) and relying parties (RPs) can use to dynamically evaluate access.
• Shared Signals Framework (SSF) is the transport protocol behind it, using secure webhooks or push-based channels to propagate identity-related security events.

Why it matters:

• If a device becomes compromised, a user is terminated, or a risk score spikes, CAEP allows sessions across apps to be revoked or downgraded immediately.
• Moves session management from static policies to signal-driven enforcement.

Who's adopting it:

• Google, Microsoft, and Okta are early implementers.
• Ping Identity and Auth0 have begun pilot integrations.
• Apps like Slack and Zoom are exploring CAEP as part of broader Zero Trust architectures.

Takeaways: CAEP makes the post-login layer programmable and responsive, a cornerstone for runtime identity security. WideField actively supports CAEP signal interpretation and session termination triggers in its detection workflows.

Demonstrating Proof of Possession (DPoP)

Problem: OAuth tokens can be stolen and reused.

Traditional bearer tokens in OAuth 2.0 do not validate the client’s identity—meaning anyone holding the token can use it, including attackers.

Solution: DPoP introduces key-bound tokens.

• Clients generate a public/private key pair.
• When requesting tokens, clients present a DPoP proof—a signed statement proving they possess the private key.
• Resource servers can challenge clients or validate tokens with the associated key thumbprint.

Why it matters:

• Prevents token replay attacks.
• Makes it harder for stolen tokens to be reused across devices or locations.
• Especially useful in mobile and browser-based apps where token theft risks are high.

Adoption and challenges:

• OAuth 2.1 includes early provisions for DPoP.
• Implemented in frameworks like Node-OIDC and adopted by some fintech platforms.
• Still requires alignment across IdPs, token issuers, and resource servers for full effect.

Takeaways: DPoP adds critical cryptographic proof to OAuth flows. For security teams looking to tighten API access control, DPoP is an essential upgrade—but must be paired with strong token lifecycle hygiene.

IPSIE: A Wrapper Standard with Promise

Problem: Too many standards, not enough coordination.

IPSIE, short for Identity Proofing and Session Integrity Enforcement, is a proposed meta-standard introduced by Okta and discussed in the broader identity community.

What it does:

• Acts as a wrapper or coordination layer that aligns signals from CAEP, DPoP, DBSC, and other protocols.
• Helps standardize how session trust is calculated, communicated, and enforced across vendors and platforms.
• Envisions pluggable policy engines where enterprises can define how different risk signals interact.

Why it matters:

• Identity security is only as strong as its weakest link. IPSIE attempts to harmonize enforcement.
• Could enable faster, more scalable adoption of new standards across diverse identity and app stacks.

Where it stands:

• Still in early conceptual and working group phases.
• No formal RFC or OpenID working group has ratified IPSIE yet.
• Okta is experimenting with early prototypes and industry engagement.

Takeaways: Standards like IPSIE will be critical to solving the orchestration challenge—bringing signal-driven identity to scale without breaking legacy apps or vendor interoperability.

Device Bound Session Credentials (DBSC)

Problem: Sessions can be hijacked and reused elsewhere.

In the browser world, session cookies are often transferable. If an attacker steals a cookie, they can hijack the session—bypassing MFA or device checks.

Solution: DBSC binds sessions to the originating device.

• Introduced by Google, now part of the FedCM (Federated Credential Management) effort in Chrome.
• Credentials are cryptographically bound to a device or secure enclave.
• Even if a cookie or token is stolen, it cannot be replayed on another machine or browser.

Why it matters:

• Prevents session theft and cookie hijacking, one of the most common identity breach methods.
• Creates trust continuity from authentication to usage without persistent re-authentication.

Adoption:

• Chrome supports DBSC starting with v120+.
• Microsoft Edge is rolling out DBSC support in alignment with the Chromium roadmap.
• Early use cases: Google Workspace, enterprise SSO extensions, and identity brokers.

Takeaways: DBSC represents a critical leap in post-authentication session security—particularly for high-value web applications. We expect broader adoption across enterprise SaaS within the next 12–24 months.

Bringing It All Together: Fragmented or Converging?

Each of these standards tackles a different piece of the identity security puzzle:

The good news? These are not mutually exclusive.

In fact, the most secure identity architectures of the future will likely adopt several—or all—of these standards in tandem:

• DBSC secures the browser session
• DPoP ensures token authenticity
• CAEP triggers real-time access decisions
• IPSIE governs how it all works together

Together, they enable continuous, contextual, and cryptographically grounded identity enforcement—which is exactly what modern enterprise security demands.

What Enterprises Should Do Next

If you’re an enterprise security or IAM leader, here’s how to stay ahead of the curve:

Evaluate Your Current Session Model

• Are sessions static or risk-reactive?
• Are tokens bearer-only or bound?

Talk to Your IdP and Vendors

• Are they implementing CAEP, DPoP, DBSC?
• How do they handle session revocation and risk-based enforcement?

Align Your Roadmap

• Plan for standards adoption gradually
• Prioritize high-risk apps or users for pilot projects
• Track industry maturity via OpenID Foundation and vendor-specific working groups

WideField is actively integrating support for CAEP, DPoP, and DBSC into our identity risk platform—enabling customers to embrace signal-based identity with clarity and confidence.

Standards Make Identity Stronger, Together

The future of identity security won’t be built on one protocol alone. It will be powered by a stack of evolving, interoperable standards that reinforce session integrity, token legitimacy, and access intelligence at every layer.

The only question now is: are you building with them?